BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] free SSL certs from the EFF
- Subject: [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- Date: Tue, 25 Nov 2014 11:28:06 +0000
- In-reply-to: <54737E7C.5040506@mattgillen.net>
- References: <546C4823.6060900@gmail.com> <BN3PR0401MB1204BAB10AE6249C54E4E81BDC760@BN3PR0401MB1204.namprd04.prod.outlook.com> <54737E7C.5040506@mattgillen.net>
> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss- > bounces+blu=nedharvey.com at blu.org] On Behalf Of Matthew Gillen > > This is not without new attack vectors: you can only trust DNS responses > as far as DNS-SEC goes, which unfortunately ends one-hop before > end-systems (unless you run your own DNS server and force everything on > your home network to use that; which I do but don't know how common > that > is). Based on my understanding of DNSSEC, it doesn't add security except in esoteric edge cases. Because your client doesn't have any point of trust - if your client queries DNS, there's no way for your client to know *this* response is authentic for your domain. In theory, you could start using x509 certs to sign your DNS but then there's the chicken and egg problem. I don't see any way to make DNS actually secure, except to completely scrap all of DNS in favor of a new "secure" DNS. Which could literally be regular DNS with TLS on it, but the point is, as long as you try to make clients compatible with *both* the secure and insecure DNS, then attacking the secure DNS is trivial. You just block secure DNS and cause the client to fallback to insecure DNS, or you just substitute whatever malicious DNS response you want, knowing that the client accepts insecure DNS responses. There is no defense.
- Follow-Ups:
- [Discuss] free SSL certs from the EFF
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] free SSL certs from the EFF
- From: me at mattgillen.net (Matthew Gillen)
- [Discuss] free SSL certs from the EFF
- References:
- [Discuss] free SSL certs from the EFF
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] free SSL certs from the EFF
- From: me at mattgillen.net (Matthew Gillen)
- [Discuss] free SSL certs from the EFF
- Prev by Date: [Discuss] free SSL certs from the EFF
- Next by Date: [Discuss] free SSL certs from the EFF
- Previous by thread: [Discuss] free SSL certs from the EFF
- Next by thread: [Discuss] free SSL certs from the EFF
- Index(es):