BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] free SSL certs from the EFF
- Subject: [Discuss] free SSL certs from the EFF
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Wed, 03 Dec 2014 16:33:51 -0500
- In-reply-to: <547F7BE8.5050507@mattgillen.net>
- References: <546C4823.6060900@gmail.com> <BN3PR0401MB1204BAB10AE6249C54E4E81BDC760@BN3PR0401MB1204.namprd04.prod.outlook.com> <54737E7C.5040506@mattgillen.net> <BN3PR0401MB1204CDD16766109B0CD095ECDC730@BN3PR0401MB1204.namprd04.prod.outlook.com> <sjm8uirdxem.fsf@securerf.ihtfp.org> <BN3PR0401MB1204B299B351DFF7F2E85FBDDC7D0@BN3PR0401MB1204.namprd04.prod.outlook.com> <sjmlhmqcb1j.fsf@securerf.ihtfp.org> <BN3PR0401MB120492A5BDE4D3CEE0AECDD3DC7A0@BN3PR0401MB1204.namprd04.prod.outlook.com> <sjm8uiqc7sw.fsf@securerf.ihtfp.org> <547E0FB3.3070005@gmail.com> <sjmy4qobui6.fsf@securerf.ihtfp.org> <547F3855.10106@gmail.com> <547F7BE8.5050507@mattgillen.net>
On 12/3/2014 4:08 PM, Matthew Gillen wrote: > The first flaw is DNSSEC to end clients. There are two solutions to this: That's not a flaw in DNSSEC. It's an expectation that is outside of the scope of DNSSEC. > The second issue was that DNSSEC has a built-in way to MITM it, where an > intermediary could strip out the info that indicated that a given domain > had DNSSEC records (the claim was this was forced for compatibility). I > think Derek refuted that, and I have to believe that > what Richard claimed would defeat the whole purpose of DNSSEC. Correct. Either you enforce DNSSEC and drop yourself into a black hole when a script kiddie plays games with UDP packets or you configure your security aware resolver to treat unsigned and stripped DNS answers as valid anyway. The former is not "protection"; it's locking your computer in a safe filled with concrete and dumping it down the Marianas Trench. The latter, well, what's the point of DNSSEC if you're going to ignore it? Either way, DNSSEC really is pointless for end users. -- Rich P.
- Follow-Ups:
- [Discuss] free SSL certs from the EFF
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] free SSL certs from the EFF
- References:
- [Discuss] free SSL certs from the EFF
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] free SSL certs from the EFF
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] free SSL certs from the EFF
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] free SSL certs from the EFF
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] free SSL certs from the EFF
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] free SSL certs from the EFF
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] free SSL certs from the EFF
- From: me at mattgillen.net (Matthew Gillen)
- [Discuss] free SSL certs from the EFF
- Prev by Date: [Discuss] free SSL certs from the EFF
- Next by Date: [Discuss] free SSL certs from the EFF
- Previous by thread: [Discuss] free SSL certs from the EFF
- Next by thread: [Discuss] free SSL certs from the EFF
- Index(es):
