Cool, an example. But... uh... you don't actually listen to this, do you? 
-
-
Replying to @lcamtuf @justinschuh and
I have a dumb thought, allow me to burden you with it! So the issue is "publicness", right? How do we know this fetch won't hit an internal system. How about we force public DNS lookup + TLS? We have a DOH resolver, why not use it here?
2 replies 0 retweets 2 likes -
Replying to @slightlylate @lcamtuf and
so an internal service would be considered public if it's reachable over https (which should ideally be the case) and the service has a valid cert for some name in public DNS that points at it? overloading TLS cert meaning with "I trust the owners of these domains"?
1 reply 0 retweets 0 likes -
Replying to @tehjh @slightlylate and
how do you pick the trusted public-DNS resolver you need for this?
1 reply 0 retweets 0 likes -
We operate such a service today. Idea is we resolve these request's host *only* via that path, and cert must line up with resolved IP. Can make it configurable as a (new) group policy (and disableable) for the paranoid. I'm sure there's a hole in this...


1 reply 0 retweets 0 likes -
Replying to @slightlylate @lcamtuf and
are you proposing leaking hostnames to Google independent of normal OS DNS settings?
1 reply 0 retweets 1 like -
Or whomever else you set as your "public only" resolver, yes. If the issue is DNS being overloaded for public/private (and another decade+ of this debate about something *every native app can do*), let's disentangle DNS.
1 reply 0 retweets 0 likes -
Replying to @slightlylate @lcamtuf and
and if the "public only" resolver lies to you, your internal network gets exposed to the internet?
2 replies 0 retweets 0 likes
and how do you pick the default resolver, given that the OS has no infrastructure for telling you what it is? default to Google? what should other browsers do?
-
-
Other browsers can do whatever they think is right for users (e.g., SafeBrowsing). Default situation is these requests fail (as they do today) and some services will run transitional proxies. Others won't. Cest la vie.
1 reply 0 retweets 0 likes -
Replying to @slightlylate @lcamtuf and
IOW, you're creating a mechanism that is kinda useless you're willing to break things for non-Chrome users?
1 reply 0 retweets 1 like - 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.