how do you pick the trusted public-DNS resolver you need for this?
-
-
We operate such a service today. Idea is we resolve these request's host *only* via that path, and cert must line up with resolved IP. Can make it configurable as a (new) group policy (and disableable) for the paranoid. I'm sure there's a hole in this...


1 reply 0 retweets 0 likes -
Replying to @slightlylate @lcamtuf and
are you proposing leaking hostnames to Google independent of normal OS DNS settings?
1 reply 0 retweets 1 like -
Or whomever else you set as your "public only" resolver, yes. If the issue is DNS being overloaded for public/private (and another decade+ of this debate about something *every native app can do*), let's disentangle DNS.
1 reply 0 retweets 0 likes -
Replying to @slightlylate @lcamtuf and
and if the "public only" resolver lies to you, your internal network gets exposed to the internet?
2 replies 0 retweets 0 likes -
Replying to @tehjh @slightlylate and
and how do you pick the default resolver, given that the OS has no infrastructure for telling you what it is? default to Google? what should other browsers do?
1 reply 0 retweets 1 like -
Other browsers can do whatever they think is right for users (e.g., SafeBrowsing). Default situation is these requests fail (as they do today) and some services will run transitional proxies. Others won't. Cest la vie.
1 reply 0 retweets 0 likes -
Replying to @slightlylate @lcamtuf and
IOW, you're creating a mechanism that is kinda useless you're willing to break things for non-Chrome users?
1 reply 0 retweets 1 like -
This is all standards work. New things are defacto unsupported. Turns out making progress on new web features is hard, in part because skepticism about potential for success is pervasive!
2 replies 0 retweets 1 like -
Replying to @slightlylate @lcamtuf and
for normal features, you can fall back when the feature isn't supported. but here, the goal is to remove server-side functionality, which you can't do until all clients support it. so AFAICS the barrier to success is way higher than for normal features
2 replies 0 retweets 1 like
so it won't provide any of the desired benefit for a long time, and at the same time, you're adding a big heap of new complicated infrastructure and security policy changes on the client?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.