Changes between Initial Version and Version 1 of Ticket #10836, comment 14


Ignore:
Timestamp:
Feb 12, 2014, 4:42:48 PM (6 years ago)
Author:
ben
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #10836, comment 14

    initial v1  
    55> Don't check DNS MX records for mail configurations. This may need some rethinking for DNSSEC.
    66
    7 Likewise, this will break **all** hosted domains. I know it's weak, but this part is actually important. The attack surface is reduced by the fact that Mozilla's server makes the MX lookup, and the result comes via HTTPS. (If Mozilla ever implements arbitrary DNS lookups, we could do both and compare the two results.)
     7Likewise, this will break **all** hosted domains, even those hosters in the ISPDB, and a number of vanity domains (@iamcool.com etc.). I know it sounds weak security-wise, but the attack surface is reduced significantly by the fact that Mozilla's server makes the MX lookup, and the result comes via HTTPS. (If Mozilla ever implements arbitrary DNS lookups, we could do both and compare the two results.)
    88
    99I don't hope for DNSSEC anymore. (Very broken concepts in the spec, which hinders deployment.)