SN 755: Apple's Cert Surprise

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

@Leo and Steve were talking about the reduction in testing of Windows updates, and the knock-on effects in the real world. It appears that it’s worse than that - if this article is correct, then it appears that there has been no formal testing of cumulative updates since Windows 8. Somehow I feel that really merits an exclamation mark…

Also, Einstein defined insanity as doing the same thing over and over and expecting a different outcome, but he didn’t know about Windows Update. I recently updated a low-spec Windows 10 tablet to 1909, and the update kept failing, with a generic error that explained nothing. Just as Steve mentioned, I eventually got it to work by simply keeping on repeating the update without changing anything. Somewhere around the sixth or seventh attempt, it worked. No idea why.

The real problem with Apple and the certificates is the internal network devices that have locally issued (internal domain certificate provider). There is no way to automate the issuance of certificates to switches, routers and other devices, so that is a lot of extra work every year.

I have a question about DOH in Firefox. I recently started using Express VPN. It’s a great service, and I have enjoyed it. When I set up the VPN I noticed that I kept seeing a DNS leak according to Express VPN’s web app. After several hours of troubleshooting with Express VPN’s representatives I remembered that I had enabled DOH a while ago. I turned it off, and that fixed the issue.

TLDR: Am I better off leaving DOH enabled, or using the Express VPN DNS?

1 Like

@coldplayer if you are using a VPN, then I would use DNS over that since it does weaken the VPN since others could see your DNS queries and then try something.

I disabled DoH since it was by-passing my Pi-hole DNS server and allowing ads and tracking cookies into my house. Pi-Hold supports DoH to upstream DNS services, so can have the best of both.


This is actually a very valid point to raise and as uteck says you should indeed disable DoH in any other software.

This is something that @Leo should probably mention during the Express VPN ads.

In simple terms, you want to use the DNS that is inside your encrypted tunnel, hence not leaking.
While using a VPN you don’t even need DoH/DoT/DNSCrypt etc. because your DNS requests will be encrypted with the other traffic.

@uteck It is possible to use DNSCrypt with DoH on a pi-hole with your favourite blocklists


+1 for Pi-Hole. I have blocked DoH at the firewall on my network, everything is forced to use the local Pi-Hole server, which in turn is using DNS over TLS (same encryption over TLS as DoH, just actually using DNS) and DNSSEC to a trusted core DNS server.

I was under the impression that podcasters have to read from a script issued by the advertiser. I’m not sure how much latitude they have to add anything, other than a general endorsement, if they want to keep getting the revenue. Maybe someone with more knowledge than me could comment?

@Dr.Flay, Looking over my Pi-Hole settings, looks like I misspoke. The Pi-Hole does not use DoH, just DNSSEC and ECS to the upstream DNS.
I did find an addon that does add Cloudflare DoH;
Along with the link you posted, you can install DNSCrypt and get both, but not out of the box.

1 Like

That’s correct @Clayton - I can’t just stick stuff into an ad. I get some leeway, but I’d have to run something like that past the sponsor.

On the other hand, I can and will mention it on Security Now the next time we talk about DoH! That’s really a more appropriate place to talk about it anyway.

1 Like

I think that as it is a general fact relating to VPN use, it is something any VPN provider will be wanting you to do, so I imagine Express VPN will be more than happy people are reminded.

As encrypted DNS is not needed inside the tunnel, the only thing worth noting would be the state of support for DNSSec.
@Leo if they confirm that detail, I would even say that including this info in the advert would add another security tick that others are possibly missing from their ads.
Many ISPs still don’t use DNSSec, so getting a more secure DNS with a VPN is actually an overlooked bonus.