[Discuss] free SSL certs from the EFF
Derek Atkins
warlord at MIT.EDU
Thu Dec 4 10:44:21 EST 2014
Richard Pieri <richard.pieri at gmail.com> writes:
> On 12/3/2014 4:08 PM, Matthew Gillen wrote:
>
>> The second issue was that DNSSEC has a built-in way to MITM it, where an
>> intermediary could strip out the info that indicated that a given domain
>> had DNSSEC records (the claim was this was forced for compatibility). I
>> think Derek refuted that, and I have to believe that
>> what Richard claimed would defeat the whole purpose of DNSSEC.
>
> Correct. Either you enforce DNSSEC and drop yourself into a black hole
> when a script kiddie plays games with UDP packets or you configure
> your security aware resolver to treat unsigned and stripped DNS
> answers as valid anyway. The former is not "protection"; it's locking
> your computer in a safe filled with concrete and dumping it down the
> Marianas Trench. The latter, well, what's the point of DNSSEC if
> you're going to ignore it?
A script kiddie is only going to be able to send forged additional
responses, but not necessarily block the *real* responses or modify them
enroute. So yes, I still want to ignore the unsigned responses in this
scenario because the real responses *WILL* eventually get through.
Besides, with random ports and random TIDs a script kiddie has much less
of a chance of getting through.
Yes, there are broken middleware boxes (most often in hotels) that can
intercept and manipulate DNS. Personally I'd like to know when that's
happening to me, and DNSSEC can absolutely tell me that. Then I can
make a conscious choice of what to do with that information (including
opening myself up to attack).
Eventually those middleboxes will go away -- they've already been going
away slowly.
> Either way, DNSSEC really is pointless for end users.
Bzzt. You keep coming back to "pointless for end users" mantra when in
reality it was absolutely designed to help end users. You're welcome to
continue to think that to yourself (there's no such thing as a thought
police, yet) but please stop spreading your FUD around as fact. It's
not helping anyone. Many people have already pointed out many ways that
it helps end users. I can list many more if you wish, but if you're not
going to listen it's not worth my time, I have real security work to get
back to.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the Discuss
mailing list