On Aug 22, 2008, at 9:25 AM, Nicholas Weaver wrote:
> And probabilistic protection is perfectly good. We don't need perfect
> protection against blind attacks, we just need to ensure that the
> attacker resources involved are far better spent elsewhere.


This isn't strictly true, because there are on-path non-cache-
poisoning attacks to DNS that are not MitM attacks but that let me
reliably MitM your HTTP connections. And these attacks are easily
prevented with DNSSEC, and completely unpreventable with, e.g., port
randomization.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: