Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Lawrence D'Oliveiro <ldo@nz.invalid>
Newsgroups: comp.misc
Subject: Re: [LINK] Calling time on DNSSEC?
Date: Tue, 3 Dec 2024 06:14:06 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 10
Message-ID: <vim7jd$3t1l3$1@dont-email.me>
References: <67464f37@news.ausics.net>
	<vi68n4$k3r$1@tncsrv09.home.tnetconsulting.net>
	<wwva5dlul1r.fsf@LkoBDZeT.terraraq.uk>
	<vi8tkg$8ha$1@tncsrv09.home.tnetconsulting.net>
	<wwva5dj91v4.fsf@LkoBDZeT.terraraq.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 03 Dec 2024 07:14:06 +0100 (CET)
Injection-Info: dont-email.me; posting-host="c96be26192a45ce8d8c08f341d719685";
	logging-data="4097699"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1/y1wgebCCL+VkQednJMDsm"
User-Agent: Pan/0.161 (Chasiv Yar; )
Cancel-Lock: sha1:rxwzAAqAkYYr2LC5xijzEiXSQSw=
Bytes: 1590

On Thu, 28 Nov 2024 08:52:31 +0000, Richard Kettlewell wrote:

> DNS + TLS does solve it, sufficiently well. (Using TLS to include
> Internet PKI.)

Nobody uses PKI. TLS has a hole in it, in that the SNI, “Server Name 
Indication” (the “Host:” line in the HTTP request header) has to be sent 
unencrypted. This allows eavesdroppers, like authoritarian Government 
regimes, to determine when you are trying to access a prohibited service, 
and block it before the encrypted connection can be set up.