BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] free SSL certs from the EFF

Subject: [Discuss] free SSL certs from the EFF
From: warlord at MIT.EDU (Derek Atkins)
Date: Mon, 01 Dec 2014 13:42:41 -0500
In-reply-to: <BN3PR0401MB1204CDD16766109B0CD095ECDC730@BN3PR0401MB1204.namprd04.prod.outlook.com> (Edward Ned Harvey's message of "Tue, 25 Nov 2014 11:28:06 +0000")
References: <546C4823.6060900@gmail.com> <BN3PR0401MB1204BAB10AE6249C54E4E81BDC760@BN3PR0401MB1204.namprd04.prod.outlook.com> <54737E7C.5040506@mattgillen.net> <BN3PR0401MB1204CDD16766109B0CD095ECDC730@BN3PR0401MB1204.namprd04.prod.outlook.com>

"Edward Ned Harvey (blu)" <blu at nedharvey.com> writes:

>> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
>> bounces+blu=nedharvey.com at blu.org] On Behalf Of Matthew Gillen
>> 
>> This is not without new attack vectors: you can only trust DNS responses
>> as far as DNS-SEC goes, which unfortunately ends one-hop before
>> end-systems (unless you run your own DNS server and force everything on
>> your home network to use that; which I do but don't know how common
>> that
>> is).
>
> Based on my understanding of DNSSEC, it doesn't add security except in
> esoteric edge cases.  Because your client doesn't have any point of
> trust - if your client queries DNS, there's no way for your client to

This is a false assumption..  Clients can (and are) populated with the
well-known Root Zone KSK which is used to verify the root-zone ZSK which
in turn signs the TLDs.  So properly configured clients can indeed have
a point of trust.  It's effectively the same level of trust you can put
into your "root CA list" that also must be populated on the clients.

> know *this* response is authentic for your domain.  In theory, you
> could start using x509 certs to sign your DNS but then there's the
> chicken and egg problem.
>
> I don't see any way to make DNS actually secure, except to completely
> scrap all of DNS in favor of a new "secure" DNS.  Which could
> literally be regular DNS with TLS on it, but the point is, as long as
> you try to make clients compatible with *both* the secure and insecure
> DNS, then attacking the secure DNS is trivial.  You just block secure
> DNS and cause the client to fallback to insecure DNS, or you just
> substitute whatever malicious DNS response you want, knowing that the
> client accepts insecure DNS responses.  There is no defense.

I think it depends very much on your definition of "Secure".  You are
correct that DNSsec does not provide any confidentiality services.
However it does indeed protect the data integrity from interloping
intermediaries and provide authenticated DNS Data.

> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

Follow-Ups:
- [Discuss] free SSL certs from the EFF
  - From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] free SSL certs from the EFF
  - From: blu at nedharvey.com (Edward Ned Harvey (blu))

Prev by Date: [Discuss] Dell Openmanage vs Supermicro IPMI?
Next by Date: [Discuss] Python module for Windows services that runs on Linux
Previous by thread: [Discuss] Dell Openmanage vs Supermicro IPMI?
Next by thread: [Discuss] free SSL certs from the EFF
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.