All secure crypto on the Internet assumes that the DNS lookup from names to IP addresses are insecure. Securing those DNS lookups therefore enables no meaningful security. DNSSEC does make some attacks against insecure sites harder. But it doesn’t make those attacks infeasible, so sites still need to adopt secure transports like TLS. With TLS properly configured, DNSSEC adds nothing.
samedi 17 janvier 2015 à 08:50CAFAI Liens en Vrac 17/01/2015
All secure crypto on the Internet assumes that the DNS lookup from names to IP addresses are insecure. Securing those DNS lookups therefore enables no meaningful security. DNSSEC does make some attacks against insecure sites harder. But it doesn’t make those attacks infeasible, so sites still need to adopt secure transports like TLS. With TLS properly configured, DNSSEC adds nothing.
Take “domain-validated TLS certificates”. Some TLS CAs will sign certificates based solely on the requester’s ability to receive a confidential email sent to a domain. DNSSEC makes attacks against this scheme harder. But domain-validated certificates remain insecure because SMTP is itself insecure. Put differently: the problem is “validating domain ownership via email” in the first place not that the DNS is insecure.
(Permalink)
All secure crypto on the Internet assumes that the DNS lookup from names to IP addresses are insecure. Securing those DNS lookups therefore enables no meaningful security. DNSSEC does make some attacks against insecure sites harder. But it doesn’t make those attacks infeasible, so sites still need to adopt secure transports like TLS. With TLS properly configured, DNSSEC adds nothing.
Take “domain-validated TLS certificates”. Some TLS CAs will sign certificates based solely on the requester’s ability to receive a confidential email sent to a domain. DNSSEC makes attacks against this scheme harder. But domain-validated certificates remain insecure because SMTP is itself insecure. Put differently: the problem is “validating domain ownership via email” in the first place not that the DNS is insecure.
(Permalink)