LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Certificates and "authorities"

Certificates and "authorities"

Posted Sep 8, 2011 15:50 UTC (Thu) by mike.cloaked (subscriber, #63120)
In reply to: Certificates and "authorities" by rgmoore
Parent article: Certificates and "authorities"

Perhaps some accelerated effort would and could usefully be directed towards securing dns? Is it not the case that secure dns would sidestep the majority of the problem resulting from this CA problem? After all if browsers were only able to point at the "official" website instead of an illegal one, then the user would not need to check for fraudulent certs in the first place?

How are we doing generally in bringing in dnssec or a more advanced version of the same idea?

(Log in to post comments)

Certificates and "authorities"

Posted Sep 8, 2011 22:27 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

DNSSEC is deployed. The root is signed, many major TLD registries are equipped for DNSSEC. However, registrars are mostly in a cut-throat price war. The customer service overhead of teaching customers about DNSSEC isn't paid for by the dubious benefits of offering it. So there's an excellent chance that if you have a domain in a popular TLD today via a registrar, there's no way to get DNSSEC working with that domain without changing registrar.

This will probably change gradually, with better tools and increasing customer awareness. Today example.com, and fedoraproject.org - tomorrow Google and your banks, some day your blog.

On the client things are similarly slow moving. Enthusiasts have working DNSSEC in their client software today, but the average person does not. In the medium term the goal is that most users will go via their ISP's DNS server, and the queries performed by that server will be secured with DNSSEC, but obviously if your adversary is the government, the ISP is probably compromised anyway, so this doesn't help you.

Technically it's a done deal. Typing "ssh foo.bar.baz" and knowing you're only trusting bar, baz and the root to identify this "foo.bar.baz" machine works right now, on the public Internet (though obviously not for that made up address). But translating that into an ordinary user typing "www.facebook.com" into their browser and definitely getting the privacy-infringing social network site, not an Iranian impostor, may be years off even if we get agreement that it's desirable.

Certificates and "authorities"

Posted Sep 9, 2011 0:07 UTC (Fri) by mtaht (✭ supporter ✭, #11087) [Link]

Getting your dns signed with dnssec has become easier and easier with the more current versions of bind.

In fact, both bufferbloat.net (running on a x86_64 box) and http://jupiter.lab.bufferbloat.net (running on a mips based cerowrt box) are now both signed, and the overhead seems non-existent.

comcast is running a set of dnssec enabled dns servers now, as well, which work great as forwarders.

dns.comcast.net

There is a tool for firefox that can validate if your dns signed, here:

https://addons.mozilla.org/en-US/firefox/addon/dnssec-val...

Perhaps one day this could be more effective than CAs.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds