Firefox

17605 readers

265 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago

MODERATORS

[email protected]

640

Say (an encrypted) hello to a more private internet. (blog.mozilla.org)

submitted 11 months ago by [email protected] to c/[email protected]

64 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 97 points 11 months ago (27 children)

All well and good, but sadly this relies on the hosts managing DNS to include specific entries in their DNS configuration for keys to use during the encryption process. Unfortunately the vast majority of hosts probably won't be bothered to do this, similar to DNSSEC.

[–] [email protected] 1 points 11 months ago (1 children)

Wouldn't it be better if reverse proxies simply had a "default key" meant to encrypt the SNI after an unencrypted "hello" is received?

Including DNS in this seems weird.

[–] [email protected] 1 points 11 months ago

What would stop a MITM attacker from replacing the key? The server can't sign the key if it doesn't know which domain the client is trusting.

load more comments (25 replies)