User: Password:
Subscribe / Log in / New account

Fraudulent certificates in the wild — again

Fraudulent certificates in the wild — again

Posted Jan 9, 2013 14:25 UTC (Wed) by Lennie (guest, #49641)
In reply to: Fraudulent certificates in the wild — again by tialaramex
Parent article: Fraudulent certificates in the wild — again

I don't know what technology will be choosen in the future, but AFAIK DNSSEC/DANE is the currently only generally available protocol/standard.

The only parties that need to implement it are the browser vendors. They do however depend on an Internet where proper checking of DNSSEC material is possible.

This can be handled by something part of the browser, handled by the operating systems or something installed on the network or local machine ( ).

This hasn't happend, partly, because there are other issues in the network that prevent this. From DSL-routers which block large responses to just plain browser resolvers. A failover to HTTP or similair to collect this information is possible, but no-one has come forward to setup a large distributed network of servers for this.

From the browser vendors I only see an interrest in this field from the Google Chrome/Chromium developers and Firefox developers.

Google Chrome/Chromium uses the same NSS-library and, I believe, the same CA-store as Mozilla/Firefox.

The NSS-library is getting a lot of development, for example to refactor to easily support SPDY, but I haven't seen a lot of DNSSEC-/DANE-related development.

The Chrome/Chromium developers are developing their own DNS-library to improve performance. I've not seen any initiatives to add DNSSEC-validation support to it.

Chrome/Chromium does support this as a test:
DNSSEC-chain validation for DNSEC-validated DNS-material embedded in the SSL-chain.

No other browser supports this and you can't have both the normal CA-chain and the DNSSEC-chain in the same SSL-certificate configuration. It is something that might be possible in theory, but different browsers handle this case differently and you end up with at least one browser giving errors depending on the choices you make.

Even if all this is said and done DNSSEC does not solve what the CAs call "extended validation" certificates (also known as the green bar).

In the meantime there are addons for Firefox and Chrome which you can use to add DNSSEC-/DANE-support to those browsers. I think even an IE-extension when combined with DNSSEC-trigger you have a full solution which should always work.

(Log in to post comments)

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds