LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The case of the fraudulent SSL certificates

The case of the fraudulent SSL certificates

Posted Mar 31, 2011 21:56 UTC (Thu) by job (guest, #670)
In reply to: The case of the fraudulent SSL certificates by Simetrical
Parent article: The case of the fraudulent SSL certificates

If you follow best practice compromise of a DNS server does not lead to compromise of DNSSEC for that zone, as the zones should be signed on a separate server. There should be no keys on the public DNS server.

(Log in to post comments)

The case of the fraudulent SSL certificates

Posted Mar 31, 2011 22:40 UTC (Thu) by Simetrical (guest, #53439) [Link]

Okay, granted. I should have said that you have to compromise Google's servers, not specifically its nameservers. The point is the same, that you have to target specific servers and don't get to pick the weakest out of a very large group, so your attack surface drops drastically. Of course, the signing servers aren't going to be Internet-accessible, so will probably be even harder to exploit than the nameservers. But exploiting the nameservers of a huge and well-run shop like Google would already be a pretty difficult feat for even a well-funded criminal hacker group (although maybe not for some governments).

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds