Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think you're a little unclear on the concept here. The problem isn't that Libya gains the ability to read the TLS keys.


Since Libya can't write a valid certificate to DNS, the ability to make changes doesn't help them. At worst, they might be able to make browsers reject the certificate (as the one served by the server won't match the one in DNS, or the one served by the server and in DNS (if your A records and DNS key gets changed) isn't signed by a CA), but they can already do that. If you don't trust your DNS Zone, you can already be trivially taken offline by them deleting your DNS records.

Once DANEs is deployed widely browsers should require both a certificate from a CA, and that certificate to be in DNS. Two factor authentication for SSL.


If the CA signature means anything, you don't need DNSSEC.

If it doesn't, you've given control over the certificate to Libya.

It is easier to see the problem when you look at the real issue, which is that the NSA controls both the CA hierarchy and .COM.


Perseids made his counter-arguments clear in many places on this page, but your comment allows me to summarize.

> If the CA signature means anything, you don't need DNSSEC.

If DNSSEC is fully deployed and supported, you don't need CAs.

> If it doesn't, you've given control over the certificate to Libya.

If it (DNSSEC) isn't, you've given control over the certificate to any trusted CA in the world.

> It is easier to see the problem when you look at the real issue, which is that the NSA controls both the CA hierarchy and .COM.

Neither DNSSEC nor the CA system can prevent the NSA from doing their evil stuff.


The problem with the CA system is that it fails to resist nation-state attacks. DNSSEC not only has that problem, it has it by design. That's the point made by the post. All you've done is restate it.


You are right, so let me sum up:

Centralized architecture leaves DNSSEC vulnerable to nation-state attacks. This is by design.

Decentralized architecture leaves the CA system vulnerable to attacks coming from any trusted CA. This is by design.

National Security Letters (and their non-US equivalents) leave the CA system vulnerable to nation-state attacks.

DNSSEC 2 - 1 CAs


I think the point is that once we hve DNSSEC, we have no way around. With the CA system there is lots of room to improve on it, without more centralisation.

Im not a expert but thats my take so far.


We've had CAs for two decades already and they haven't improved much, why would their third decade be different?


The demand for change is growing and many project working on this show this. There is lots going on, much more then I can see going on in the DNS space. People are deploying more and more https and browser vendors, research and the open source community are working on it.

Project like Lets Encrpyt, CertCA on the CA side. Certificate Transparency on the standard side. Inside of the Browser you have HTTPS Everywhere, SSL Overservatory and things like Convergence.

Are this many people working on activlly innovating on DNSSEC and DANE? If they exists, I dont see them.

Also, even if they exists, once the system is centralised, its almost impossible to move it forward. In the CA system, I as a individuall can do more for my own security.


Why is DNSSEC not vulnerable to NSLs?


I am distinguishing on the attacker, not the means. Sorry if that was not clear.

Of course DNSSEC is vulnerable to NSLs, but that is not relevant. What is relevant is:

- DNSSEC is vulnerable to nation-state attacks.

- The CA system is vulnerable to nation-state attacks.

- The CA system is vulnerable to attacks from any CA.


Missing points:

- I, as a user, have mean to circumvent or mitigate CA issues (using certificate patrol as one possibility, certificate pinning as another,...)

- There is no user work around for the DNSSEC vulnerabilities

Furthermore, I'd guess that the majority of CA attacks are nation-state attacks so that both boil down to the same. I don't know of any criminal attacks (such as attacks on online banking) on the CA's. Conclusion: I, as a user, don't gain anything from DNSSEC.


It obviously is vulnerable.


An NSL is secret, right? Some nation-states have the power to compel changes to the root zone, but none have the ability to do it in secret.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: