On Mon, 2010-08-09 at 12:11 -0700, Adam Williamson wrote: > On Sun, 2010-08-08 at 11:34 -0700, Matt McCutchen wrote: > > On Fri, 2010-08-06 at 11:29 -0500, Steve Bonneville wrote: > > > i.grok@xxxxxxxxxxx wrote: > > > > Ideally (from this perspective), the host would validate the response itself. > > > > > > Exactly, if sshd is sufficiently paranoid it should make a query with > > > CD set in the request and do all the validation client-side. If you let > > > your nameserver do the validation, I think it's still possible to MITM > > > this by messing with the communication between the stub resolver and the > > > name server, which isn't secured. > > > > Not to mention that one has to trust one's own nameserver, which is a > > bad idea when using a public wireless access point. In order to achieve > > I believe that can be simplified to 'using a public wireless access > point is a bad idea' =) No, it just means that everything is untrustworthy until proven otherwise. If you use SSL or equivalent, you're fine. -- Matt -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
