Advertisement
GStreamer Conference 2013, 22-23 Oct, Edinburgh
GStreamer, Embedded Linux, Android, VoD, Smooth Streaming, DRM, RTSP, HEVC, PulseAudio, OpenGL. Register now to attend.
| |||||||||||||
Appraisal of DNSSEC-based certificate verificationAppraisal of DNSSEC-based certificate verificationPosted Sep 27, 2013 8:43 UTC (Fri) by shane (subscriber, #3335)Parent article: Encouraging a wider view From the article: Many have claimed that DNSSEC is a solution, but Marlinspike has argued otherwise—the actors are different, but the economic incentives are the same. Instead of trusting a bunch of CAs, Verisign will have to be trusted instead.I don't think this is completely fair, because the current DNS-based solution need not be a replacement for the CA system, but can be used in addition to the CA system. So in order for an attacker to spoof a host both the CA and someone in the DNS hierarchy above your domain would have to be compromised. It adds a little special sauce to your TLS security.
(Log in to post comments)
Appraisal of DNSSEC-based certificate verification Posted Sep 27, 2013 9:56 UTC (Fri) by error27 (subscriber, #8346) [Link]
People are saying that the NSA already has prepared a work around for that?
Appraisal of DNSSEC-based certificate verification Posted Sep 27, 2013 10:27 UTC (Fri) by mpr22 (subscriber, #60784) [Link] An interesting article, which I lack the effort to actively verify. It's a shame the author has chosen to post it to a site whose maintainers, at a first glance, appear to have never met a conspiracy theory they didn't like.
Appraisal of DNSSEC-based certificate verification Posted Sep 27, 2013 10:35 UTC (Fri) by jschrod (subscriber, #1646) [Link]
I don't understand the hyperbole of that article.
Yes, MarkMonitor is a registrar. Google and others need a registrar for their domain names. They chose one. The registrar could set up false name server delegation records. Well, news at 11. That's why we want DNSSEC.
And while they might be potentially a CA at the same time, they're not an approved Firefox CA, AFAICS. I don't have Chrome or a current IE fired up now, is MarkMonitor really an approved CA there?
MarkMonitor Posted Sep 27, 2013 10:42 UTC (Fri) by shane (subscriber, #3335) [Link]
The article author seems to have correctly identified MarkMonitor's business (it's on their web site, so that's not a tricky bit of journalism). However, note that *every* record in .COM is *already* in the hands of one company - the .COM registry operator, Verisign.
The US government has *already* issued DNS domain takedowns via this mechanism, so I'm not sure what additional problems that companies using MarkMonitor could add:
http://blog.easydns.org/2012/03/05/the-ramifications-of-u...
As for why these varied companies are using this service, my guess is that they do a good job and have kick-ass sales people. We don't expect companies to do *everything* themselves... Google and Microsoft both use light bulbs, but we wouldn't worry about the NSA "turning the lights out" if they both bought them from Philips...
Appraisal of DNSSEC-based certificate verification Posted Sep 27, 2013 20:01 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
It's not really viable. While NSA can push Verisign it has absolutely no control over the other top-level domains.
For example, one can host a site in .ua (Ukraine). In this case to surreptitiously intercept your traffic NSA will have to redirect the whole .ua top-level domain and use faked certificates - it's possible if they have full control over your pipe.
But it can be beaten fairly easy - just use 'sticky' DNSSEC keys. Since there are just over 300 top-level domains and DNSSEC key rotation happens rarely it's not that burdensome. Also, the mechanics of redirection itself are quite complicated.
This is way better than having 500 CAs each of which can be used to create a certificate for ANY site.
|
|||||||||||||