Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
Protect Yourself Against MITM Attacks
Message
<blockquote data-quote="DeepWeb" data-source="post: 650263" data-attributes="member: 63811"><p>Just make sure your connection is HTTPS using TLS and it will get validated that way. Any site that cannot be validated will not be resolved using HTTPS and your browser will tell you that it could not connect or reset the connection or connection timeout.</p><p></p><p>I would also argue to worry less about the last mile from DNS resolver to your PC. Worry more about what your DNS resolver does. If you have DNSCrypt but your resolver doesn't use DNSSEC, what's the point. Your resolver gets fooled and will send you the wrong address. If your DNS resolver validates DNSSEC, you get herd immunity by it validating all queries it receives for you before they get sent to you.</p><p></p><p>This is another example where you choose between privacy and security. If you want security, actually your ISP has DNSSEC validating resolvers that are the least likely to be spoofed because they have the experience, they log traffic to pay attention to criminals, and it would hurt their image the most if people found out that their traffic gets routed to the wrong place. Your ISP's DNS resolvers also can only be accessed by subscribers like you which further reduces the attack surface. Finally most ISP DNS resolvers will reject pings and other queries making them practically invisible on the web. If you don't believe me, test them here: <a href="https://www.grc.com/dns/dns.htm" target="_blank">GRC | DNS Nameserver Spoofability Test </a></p><p></p><p>Long story short your ISP's DNS resolvers are the most secure but also the least private when it comes to govt surveillance and logging. Those other DNSCrypt resolvers may be more private but also easier to fall victim to DNS cache poisoning because they are run by volunteers, not billions in revenue from paying customers. Unless you are on public wifi I wouldn't worry. If you are on public wifi, VPN is a must anyway. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p></blockquote><p></p>
[QUOTE="DeepWeb, post: 650263, member: 63811"] Just make sure your connection is HTTPS using TLS and it will get validated that way. Any site that cannot be validated will not be resolved using HTTPS and your browser will tell you that it could not connect or reset the connection or connection timeout. I would also argue to worry less about the last mile from DNS resolver to your PC. Worry more about what your DNS resolver does. If you have DNSCrypt but your resolver doesn't use DNSSEC, what's the point. Your resolver gets fooled and will send you the wrong address. If your DNS resolver validates DNSSEC, you get herd immunity by it validating all queries it receives for you before they get sent to you. This is another example where you choose between privacy and security. If you want security, actually your ISP has DNSSEC validating resolvers that are the least likely to be spoofed because they have the experience, they log traffic to pay attention to criminals, and it would hurt their image the most if people found out that their traffic gets routed to the wrong place. Your ISP's DNS resolvers also can only be accessed by subscribers like you which further reduces the attack surface. Finally most ISP DNS resolvers will reject pings and other queries making them practically invisible on the web. If you don't believe me, test them here: [URL='https://www.grc.com/dns/dns.htm']GRC | DNS Nameserver Spoofability Test [/URL] Long story short your ISP's DNS resolvers are the most secure but also the least private when it comes to govt surveillance and logging. Those other DNSCrypt resolvers may be more private but also easier to fall victim to DNS cache poisoning because they are run by volunteers, not billions in revenue from paying customers. Unless you are on public wifi I wouldn't worry. If you are on public wifi, VPN is a must anyway. :) [/QUOTE]
Insert quotes…
Verification
Post reply
Top
