User: Password:
|
|
Subscribe / Log in / New account

Certificates and "authorities"

Certificates and "authorities"

Posted Sep 8, 2011 22:27 UTC (Thu) by tialaramex (subscriber, #21167)
In reply to: Certificates and "authorities" by mike.cloaked
Parent article: Certificates and "authorities"

DNSSEC is deployed. The root is signed, many major TLD registries are equipped for DNSSEC. However, registrars are mostly in a cut-throat price war. The customer service overhead of teaching customers about DNSSEC isn't paid for by the dubious benefits of offering it. So there's an excellent chance that if you have a domain in a popular TLD today via a registrar, there's no way to get DNSSEC working with that domain without changing registrar.

This will probably change gradually, with better tools and increasing customer awareness. Today example.com, and fedoraproject.org - tomorrow Google and your banks, some day your blog.

On the client things are similarly slow moving. Enthusiasts have working DNSSEC in their client software today, but the average person does not. In the medium term the goal is that most users will go via their ISP's DNS server, and the queries performed by that server will be secured with DNSSEC, but obviously if your adversary is the government, the ISP is probably compromised anyway, so this doesn't help you.

Technically it's a done deal. Typing "ssh foo.bar.baz" and knowing you're only trusting bar, baz and the root to identify this "foo.bar.baz" machine works right now, on the public Internet (though obviously not for that made up address). But translating that into an ordinary user typing "www.facebook.com" into their browser and definitely getting the privacy-infringing social network site, not an Iranian impostor, may be years off even if we get agreement that it's desirable.


(Log in to post comments)

Certificates and "authorities"

Posted Sep 9, 2011 0:07 UTC (Fri) by mtaht (✭ supporter ✭, #11087) [Link]

Getting your dns signed with dnssec has become easier and easier with the more current versions of bind.

In fact, both bufferbloat.net (running on a x86_64 box) and http://jupiter.lab.bufferbloat.net (running on a mips based cerowrt box) are now both signed, and the overhead seems non-existent.

comcast is running a set of dnssec enabled dns servers now, as well, which work great as forwarders.

dns.comcast.net

There is a tool for firefox that can validate if your dns signed, here:

https://addons.mozilla.org/en-US/firefox/addon/dnssec-val...

Perhaps one day this could be more effective than CAs.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds