[dns-operations] Another whitepaper on DDOS

Doug Barton dougb at dougbarton.us
Fri Feb 22 21:28:05 UTC 2013


Are there CA vendors who give out EV certificates for "$fee + answer the 
e-mail"? I know you can get "basic" SSL certs simply by answering the 
e-mail from the CA.

Not that "look for the green bar" is going to be a whole lot more 
successful than "Don't say yes to security exceptions you don't 
understand," but I'm curious. :)

Doug


On 02/22/2013 11:42 AM, Vernon Schryver wrote:
>> From: Lutz Donnerhacke <lutz at iks-jena.de>
>
>> But the errornous transfer of ebay.de would create a deasaster with DANE.
>
> In what way would DANE make the theft of a domain worse?
>
> Without DANE, the new possessor of a domain need only get SMTP working,
> create a new cert, apply for signature for a new cert, answer the email
> from the CA verifying ownership of the domain, and start using that
> new cert on new HTTP servers with improved web pages.
>
> With DANE, only a few things differ.  One difference is that the
> new cert can be used as soon as DNS TTLs allow without waiting to
> answer ownership-verifying email from the CA.  The second difference
> is that before and after the transfer, browser users can be more
> confident that the web pages they see are unchanged between HTTP
> server and HTTP client.
>
> In no case can you be sure that ebay.de is what you assume it is without
> some sort of out-of-band exchange of keys and secrets between you and
> ebay.de.  Paying a CA $500 cannot buy more than $500 worth of identity
> checking and authentication, and that cannot penetrate more than $500
> worth of smoke, mirrors, forged business licenses, etc.  $500 is plenty
> for a hobby domain but ridiculous for an eBay.  (Never mind the free CAs.)
> Commercial PKI verifications of the identities of strangers have always
> been frauds and snake oil sold to punters.  That commercial PKI fees
> have always been too small to allow honest identity checks even for
> organizations more famous than Ebay was proven more than 10 years ago.
> https://www.cert.org/advisories/CA-2001-04.html
> http://technet.microsoft.com/en-us/security/advisory/2524375
>
>
> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>




More information about the dns-operations mailing list