惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Vulnerabilities – Threatpost
aimingoo的专栏
aimingoo的专栏
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
GbyAI
GbyAI
阮一峰的网络日志
阮一峰的网络日志
Engineering at Meta
Engineering at Meta
IT之家
IT之家
V
Visual Studio Blog
The Cloudflare Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
A
About on SuperTechFans
博客园 - 聂微东
Blog — PlanetScale
Blog — PlanetScale
N
News and Events Feed by Topic
A
Arctic Wolf
WordPress大学
WordPress大学
小众软件
小众软件
C
CERT Recently Published Vulnerability Notes
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
D
Darknet – Hacking Tools, Hacker News & Cyber Security
F
Fortinet All Blogs
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Y
Y Combinator Blog
T
Threat Research - Cisco Blogs
Latest news
Latest news
Simon Willison's Weblog
Simon Willison's Weblog
Cyberwarzone
Cyberwarzone
S
Schneier on Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
L
Lohrmann on Cybersecurity
Stack Overflow Blog
Stack Overflow Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Privacy International News Feed
J
Java Code Geeks
Spread Privacy
Spread Privacy
宝玉的分享
宝玉的分享
I
Intezer
L
LangChain Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
G
GRAHAM CLULEY
博客园 - 叶小钗
博客园 - 三生石上(FineUI控件)
The GitHub Blog
The GitHub Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
AWS News Blog
AWS News Blog
Attack and Defense Labs
Attack and Defense Labs
Security Archives - TechRepublic
Security Archives - TechRepublic
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Lobsters

CIFSwitch: a non-universal Linux local root vulnerability RIPE NCC session fixation: poaching logins with an Atlas probe GNOME 2.20 but its Web Components Agentic Search for Context Engineering – Leonie Monigatti Garnix is shutting down [not OC] akashina.tngl.sh/jjc Concerning Emacs (and Jazz) Nitpicking the shell history scene in ‘Tron: Legacy’ What's cooking on SourceHut? Q2 2026 The tenth OpenPGP email summit Package managers that package package managers Clojure on Fennel part three: parsing WordPress at 23 Finding Miscompiles for Fun, Not Profit GitHub - creusot-rs/creusot: Creusot helps you prove your Rust code is correct. Announcing Rust 1.96.0 | Rust Blog A Love Letter to Neovim sqlite AGENTS.md Am I a Bad Friend? CSS vs. JavaScript • Josh W. Comeau Erlang Ecosystem Foundation - Supporting the BEAM community A brief note about slot access cost in Common Lisp Keyboard latency probe Rethinking the GNOME clipboard issues Back to the Building Blocks’ Building Blocks Tech Notes: Theseus: translating win32 to wasm Fast is better than slow Content-addressed Rust builds (or, what kache actually caches) Intent to Prototype: Embedding API Canada’s Bill C-22 and the security cost of collecting more data 5 PostgreSQL locking behaviors that trip people up okmij.org Stop advertising in your commits! | AksDev GitHub - mplsllc/macsurf: A modern web browser for Classic Mac OS 9 PowerPC. Real CSS3, ES5 JavaScript, native HTTPS — built with CodeWarrior on the Carbon API. Introducing DoomBench - Can Your Data Stack Run DOOM? What are some of your favourite developer tools? Building a Scalable Ingestion Pipeline with Temporal (Part 1) Converting shallow Git bundles into normal repositories Are you a member of any professional associations? What is a harmonic? An interactive comic about additive synthesis How Virtual Tables Work in the Itanium C++ ABI Using SwiftUI to Build a Mac-assed App in 2026 Rust (and Slint) on a jailbroken Kindle. ~jack/lambda-on-lambda - Serverless Haskell on AWS - sourcehut git Human proof for FOSS contributions Extremely simple internet radio controlled via IRC Announcing BABLR Splitting Konsole views from Helix to run tools | AksDev GitHub - yugr/rust-slides Serving files over HTTP three ways: synchronous, epoll, and io_uring update docs with information about building with build.py (#979) · astral-sh/python-build-standalone@c9c40c5 A Simple Makefile Tutorial On C extensions, portability, and alternative compilers Switching to Colemak | Pedro Alves Just How Bad Was The Intel IAPX432? Nix's Substituter List Is Not a Routing Table Accelerating copy_if using SIMD Lambda on Lambda: Serverless Haskell on AWS | Blog Announcing feed-repeat v1.0 Scaling Akvorado BMP RIB with sharding EYG news: A host of CLI improvements, new guides and new effects The social contract of writing JS Crossword C array types are weird; and related topics Flatpak will depend on systemd – OSnews Migrating from Go to Rust | corrode Rust Consulting A portentous reunion Vivado Licensing Options How my minimal, memory-safe Go rsync steers clear of vulnerabilities the entropy layer of a wavelet codec, on its own GitHub - nferhat/fht-compositor: A dynamic tiling Wayland compositor. Debian SE Linux and PinTheft Does bulk memmove speed up std::remove_if? (No.) 声明式部分更新 | Blog | Chrome for Developers Fully in-browser container builds Dianne Skoll's Web Site - Remind The Architecture of Open Source Applications (Volume 1)Berkeley DB Pardon MIE? - ironPeak Blog “Long-Term Support” doesn’t mean what you think Jira IS Turing-Complete May I recommend thinking of Emacs as your Fortress of Solitude hershey Floodgap Gopher-HTTP gateway gopher://thelambdalab.xyz/1cuneiforth/ HP QuickWeb, Singular And Pointless That one time I used Go panics for flow control A new suite of modern tools coming for editing and publishing RFCs From the Tabletop… The Digital Antiquarian Building a Host-Tuned GCC to Make GCC Compile Faster Are we self-sovereign PKI yet? Claw Patrol: an open-source security firewall for agents | Deno Revised^7 Report on Scheme, Large: Procedural Fascicle Draft is now public A Network Allow-List Won't Stop Exfiltration — André Graf From AFSK to Goertzel – µArt.cz Software For My New Home Server Introducing Neptune: Direct3D virtualization for QEMU AI Agent Bankrupted Their Operator While Trying to Scan DN42 - Lan Tian @ Blog mimalloc: A new, high-performance, scalable memory allocator for the modern era Making wl_shm fast The Soul of Maintaining a New Machine - Third Draft | Books in Progress What is Git made of?
Ignore DNSSEC if you like MITM attacks
whynothugo.n · 2026-06-25 · via Lobsters

One day around 2010, we experimented at work with ARP poisoning and intercepting traffic for other hosts on the network at work. We immediately saw all traffic flowing through the network. Between all that data, we caught a glace of bits of messages of a few colleagues talking to their families over MSN Messenger. Shit, we didn’t mean to spy on anyone, we were trying to understand our network security better. The experience was unsettling.

Hubs and open Wi-Fi networks were also still common back then, and listening to traffic on those didn’t even require ARP poisoning: it could be done entirely passively by just listening.

I learnt about HTTPS around that time, and it was obvious to me that it made a huge difference. If we were exposing a service to either clients or loved ones, we needed to use TLS to ensure that the services were secure.

Yet, HTTPS continuously faced resistance. “It’s complex and hard to debug when it fails”. “If we get it wrong, our services become unreachable”. “We have to renew certificates in time or the service goes done”. “It adds overhead and delays”.

The arguments against HTTPS were always the same, mostly based on fear and [an understandable] lack of experience.

These are the exact same arguments that I hear against DNSSEC every time the topic comes up.

Impact of ignoring DNSSEC on email

[permalink]

When I configure an email client, I provide my email and password. The client automatically resolves the IMAP and SMTP servers using SRV records and connects to that server.

If I’m not using DNSSEC, an attacker can spoof these DNS responses and point my email client to smtp.evilattacker.com. When the email client connects to the server, the TLS handshake succeeds just fine: the server properly presents a certificate for smtp.evilattacker.com.

If you’re paying attention to which server your client uses, this is easy to spot. A bit less easy if perhaps they use smtp.gmaill.tech and you’re using Gmail. For every human being who’s never heard of DNSSEC (i.e.: 99% of the human population), these attacks are entirely invisible.

On the other side of email, when a server sends an email to another, it does so by querying the MX records of a domain. Again, when my email server checks for the recipient’s MX server via DNS, an attacker can poison the response, and now my email server will connect to the attacker’s server instead. In this particular case, the attacker’s email likely won’t be able to forward intercepted traffic (due to how anti-spam rules work), so this kind of attack leaves more evidence (by virtue of emails not being delivered), but is still perfectly feasible.

In this last case, I’ll note that MTA-STS can help on some specific cases, even in the absence of DNSSEC, but can easily be circumvented in many scenarios.

Impact on Matrix

[permalink]

The Matrix communication protocol follows the same approach to delegation, and is exposed to MITM attacks in the same way.

To be clear: there’s nothing wrong with Matrix’s approach here: it’s using an industry standard approach. The issue is service providers and local resolvers ignoring DNSSEC.

Impact on XMPP

[permalink]

XMPP is really weird in this sense, and is not vulnerable in the same way. If I delegate my domain to someone else’s server, that server needs to expose a TLS certificate for my own domain, not for the target domain where I’m delegating. Even with DNS spoofing, the worst that can happen is DOS, but not MITM.

The odd aspect of this, is that if I want to delegate XMPP for my domain to someone else, I need to also grant the capabilities to provision TLS certificates for my domain.

Distributions and OSs

[permalink]

It really bothers me that almost all distributions and operating systems don’t validate DNSSEC by default. The above attacks are feasible on almost anyone, purely because of lousy defaults.

Using a third party external validating resolver doesn’t make sense. Not just because that third party can easily spoof responses, but because traffic can easily be intercepted too. It’s like using plain-text HTTP to a “trusted” server which strips out HTTPS. The whole chain is as strong as its weakest link.

Personally, I use a local validating instance of unbound(8) on each host. unwind(8) is also a neat choice.