[dns-operations] Another whitepaper on DDOS
Vernon Schryver
vjs at rhyolite.com
Fri Feb 22 19:42:17 UTC 2013
> From: Lutz Donnerhacke <lutz at iks-jena.de>
> But the errornous transfer of ebay.de would create a deasaster with DANE.
In what way would DANE make the theft of a domain worse?
Without DANE, the new possessor of a domain need only get SMTP working,
create a new cert, apply for signature for a new cert, answer the email
from the CA verifying ownership of the domain, and start using that
new cert on new HTTP servers with improved web pages.
With DANE, only a few things differ. One difference is that the
new cert can be used as soon as DNS TTLs allow without waiting to
answer ownership-verifying email from the CA. The second difference
is that before and after the transfer, browser users can be more
confident that the web pages they see are unchanged between HTTP
server and HTTP client.
In no case can you be sure that ebay.de is what you assume it is without
some sort of out-of-band exchange of keys and secrets between you and
ebay.de. Paying a CA $500 cannot buy more than $500 worth of identity
checking and authentication, and that cannot penetrate more than $500
worth of smoke, mirrors, forged business licenses, etc. $500 is plenty
for a hobby domain but ridiculous for an eBay. (Never mind the free CAs.)
Commercial PKI verifications of the identities of strangers have always
been frauds and snake oil sold to punters. That commercial PKI fees
have always been too small to allow honest identity checks even for
organizations more famous than Ebay was proven more than 10 years ago.
https://www.cert.org/advisories/CA-2001-04.html
http://technet.microsoft.com/en-us/security/advisory/2524375
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations
mailing list