SN 951: Revisiting Browser Trust

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

Man, the discussion of the whole browser trust ecosystem is alarming, even without the EU adding all those certificate authorities.

I’m sure you guys understand this better than I do but as my pea-sizrd brain understands it,
you’d be able to get a cert that impersonates any site e.g. and then arrange to poison DNS in order to send people to your server as opposed to TWiT’s

The obvious flaw with this plan comes in the form of DoH which, I thought, Firefox and Chrome both support by default. So, unless you can poison DoH, then I don’t really see what the problem is. I suppose your ISP could block the port DoH uses and it’d fallback to regular old DNS, but doesn’t DoH use port 443?

Firefox has built-in CA’s that apparently cannot be deleted? Examples:
China Financial Certification Authority
Hongkong Post Root CA 3

1 Like

DoH is just a protocol layer in front of basic DNS. If you can poison DNS, you can poison any results delivered from it, no matter the protocol in front.


Regarding domain name registration, that is one of the things I really like about the EU registrars, they can only hand out the contact information with a valid EU court warrant.

Regarding DNS, you would have to block the IP addresses of the DNSes you don’t trust at the firewall. Not useful on a mobile device connected to LTE or 5G, of course.

I thought that was just a Nominet thing. but now I think about it, makes sense that it’d be the whole of europe too

It is GDPR. It caused ICANN caniptions, when it came into force.

So if you do a WHOIS on a domain the contact info is hidden in the EU? That’s a change.

1 Like