Comment by tptacek
2 days ago
Attackers hijacking domains to get certificates issued are generally hijacking registrar accounts, which DNSSEC doesn't help with, which is probably one of the many reasons DNSSEC is so rarely deployed.
2 days ago
Attackers hijacking domains to get certificates issued are generally hijacking registrar accounts, which DNSSEC doesn't help with, which is probably one of the many reasons DNSSEC is so rarely deployed.
We know, you've told us many times. But that's not the context of the thread.
I'm not fixated on any particular argument, but the preceding comment offers network security advice as if it were best common practice, and it is not in fact that. That's all! Not a big thing.
I would be interested in your take; if you had to distrust the network, how would you protect HTTP, SMTP, DNS, and TLS certs? I suspect your answer isn't DNSSEC, but I'd be interested to hear what you would use instead. The European answer seems to be DNSSEC, considering adoption rates there. (edit: should be "includes" not "be", it's one of the tools they use).
4 replies →