[dns-operations] Another whitepaper on DDOS

Sat Feb 23 23:23:35 UTC 2013

I wonder if DANE could have prevented Microsoft's recent difficulty
with expired SSL certs.
https://www.google.com/search?tbm=nws&as_q=microsoft+azure+ssl
Instead of an annual bout with internal purchase order and invoice red
tape and with red tape at the CA, could Microsoft have automated the
generation of certs and fingerprint TLSA RRs just as many automate
their generation of zone signing RRSIG RRs?
(Never mind that microsoft.com lacks RRSIG RRs.)

   ...

> From: Doug Barton <dougb at dougbarton.us>

> Are there CA vendors who give out EV certificates for "$fee + answer the
> e-mail"? I know you can get "basic" SSL certs simply by answering the
> e-mail from the CA.

I can't find anything about EV verification from registrars.  Maybe
I'm blind and stupid, or maybe writing down what they actually do
would be too funny.

I suspect you might need to submit a government registration document
and answer a press-1-if-you're-human robo phone call.  You won't
forge the registration document, because the real things are so
cheap, easy, and unverified.

It's obvious nothing that I put in the online form other to get
http://www.sos.state.co.us/biz/BuildCertificate.do?masterFileId=20051118531
was verified other than the credit card number for the $1.00 charge.
(You might need to 'get' that URL twice.)
See also http://www.sos.state.co.us/pubs/info_center/fees/business.html
I've had DBA registrations in other states, and found them just as
unimpressive.

How would you interpret section 5 of
https://www.cabforum.org/EV_Certificate_Guidelines.pdf
to sell me a $1500 EV cert?
https://www.symantec.com/theme.jsp?themeid=compare-ssl-certificates
You couldn't afford to have someone to drive past my address to see
if it's a vacant lot, not to mention ask my neighbors if they've seen
anything shady or even ever seen me.  If you want to sell certs to
small businesses, then you cannot charge enough to do any checking.

> Not that "look for the green bar" is going to be a whole lot more
> successful than "Don't say yes to security exceptions you don't
> understand," but I'm curious. :)

Yes, EV certs are expensive tickets for slapstick security theater.
Standards certs and the "mailboxes" (not SMTP but only for use after
you log into your GoDaddy account), theft protection, scanning, and
other hookum that GoDaddy sells are cheap seats.

(Your recent claim that all registrars up-sell the same junk as GoDaddy
is wrong.  I'm trust that all of the registrars you've seen are as you
said and like GoDaddy, but I've seen nothing like GoDaddy.  That might
be because I don't look at registrars that I've heard bad things about
or that advertise prices below what I know of their costs (e.g. registry
fees).  I know they'll more than make up their losses in ways I'm too
dumb to catch.)

Vernon Schryver    vjs at rhyolite.com