tomfoolery wrote: ↑Fri Jan 15, 2021 12:10 am
Any idea what this means:
"Wire uses load balancers that return dynamic IP addresses for these domain names,"
How are these load balancers identified? Are they part of a DNS server's lookup? Potential to be DNS hijacked?
Sounds like they're using DNS-based load balancers. When you ask their DNS server for the address of wire.com, the DNS server has some way of knowing which wire.com servers are busy and which are not, and gives you the address of a less-busy one.
I don't think this scheme is any more likely to be hijacked than a non-load-balancing DNS setup. My bigger point is that when you use the Wire app, you have no way of knowing whether the system the app is connecting to on the backend is actually Wire. The browser, on the other hand, will give you a big hairy warning if you end up connecting to a system that isn't Wire (based on the server's certificate).
It looks like Wire is
not using DNSSEC to prevent DNS hijacking, which I'm a little perplexed by, but they do use HSTS and HSTS preloading. That should mitigate any potential DNS hijacking, but
only if the client checks the server's certificate. Again, the browser always will. The Wire app probably does as well, but again, you can't tell.
In general, many apps connect to backend services, and sadly the default for a lot of software code libraries is to
not check the server's certificate. And I'm sure many of them don't. Always best to use the browser instead.