| |
| ▲ | teddyh 2 days ago | parent | next [-] | | DNS isn’t centralized; it’s federated. I mean, just because there’s an ISO and a UN does not mean there is a single world government. (Repost: <https://news.ycombinator.com/item?id=38695674>) | | |
| ▲ | tptacek a day ago | parent [-] | | The distinction you're trying to draw here isn't relevant to the argument on the thread. "Centralization" is the other commenter's metric of concern, not mine. |
| |
| ▲ | ocdtrekkie 2 days ago | parent | prev | next [-] | | Three browser companies on the west coast of the US effectively control all decisionmaking for WebPKI. The entire membership of the CA/B is what, a few dozen? Mostly companies which have no reason to exist except serving math equations for rent. How many companies now run TLDs? Yeah, .com is centralized, but between ccTLDs, new TLDs, etc., tons. And domain registrars and web hosts which provide DNS services? Thousands. And importantly, hosting companies and DNS providers are trivially easy to change between. The idea Apple or Google can unilaterally decide what the baseline requirements should be needs to be understood as an existential threat to the Internet. And again, every single requirement CAs implement is irrelevant if someone can log into your web host. The entire thing is an emperor has no clothes thing. | | |
| ▲ | tptacek 2 days ago | parent [-] | | Incoherent. Browser vendors exert control by dint of controlling the browsers themselves, and are in the picture regardless of the trust system used for TLS. The question is, which is more centralized: the current WebPKI, which you say is also completely dependent on the DNS but involves more companies, or the DNS itself, which is axiomatically fewer companies? I always love when people bring the ccTLDs into these discussions, as if Google could leave .COM when .COM's utterly unaccountable ownership manipulates the DNS to intercept Google Mail. | | |
| ▲ | teddyh 2 days ago | parent [-] | | > when .COM's utterly unaccountable ownership manipulates the DNS to intercept Google Mail. Why is this more likely to happen than a rogue CA issuing a false certificate? Also, Google has chosen to trust .com instead of using one of their eleven TLDs that they own for their own exclusive use, or any of the additional 22 TLDs that they also operate. | | |
| ▲ | akerl_ a day ago | parent [-] | | When a rogue CA issues a bad cert, they get delisted from all major browsers and are effectively destroyed. That isn’t possible with .com | | |
| ▲ | teddyh a day ago | parent [-] | | The DNS is federated and hierarchical. A domain name (including top-level domains) is controlled by a single entity. If you do not trust that entity, you cannot trust that domain or top-level domain, or anything beneath that in the tree. But given that you trust the root zone, you can still (potentially) trust other subtrees in the DNS, like other top-level domains. This is not the case with a CA, however; you are forced to trust all of them, and hope that when fradulent certificates are issued (as has happened several times, IIUC), that they will not affect you. | | |
| ▲ | akerl_ a day ago | parent [-] | | In fact you don't have to trust any of them, since browser root stores enforce certificate transparency. But also the issues of segmentation are pretty much a total shift of the goalposts from what we were discussing, which is what actually happens when malicious activity occurs. In DNS, your only option is to stop trusting that slice of the tree and for every site operator to lift and shift to another TLD, inclusive of teaching all their users to use the new site. In WebPKI, the CA gets delisted for new certificate issuance and site operators get new certificates before the current ones expire. One of those is insane, and the other has successfully happened several times in response to bad/rogue CAs. |
|
|
|
|
| |
| ▲ | otabdeveloper4 2 days ago | parent | prev [-] | | No. You can host your own DNS. It's easy and practically free. | | |
| ▲ | peanut-walrus 2 days ago | parent [-] | | Your TLD registry operator still technically remains fully in control of your records. I am actually surprised more of them have not abused their power so far. | | |
| ▲ | crote a day ago | parent [-] | | Most TLD operators are non-profit foundations set up by nerds in the early days of the internet, well before the lawyers, politicians, and MBAs could get their hands on it. If you want to see what happens otherwise, just look at the gTLD landscape. Still, genuine power abuse is relatively rare, because to a large extent they are selling trust. If you start randomly taking down domains, nobody will ever risk registering a domain with you again. | | |
| ▲ | tptacek a day ago | parent [-] | | The most important TLDs are decidedly not non-profit foundations run by the nerds who set them up in the 1980s, and governments routinely manipulate the DNS for policy reasons. | | |
| ▲ | otabdeveloper4 a day ago | parent [-] | | You don't actually need a domain with an ""important"" TLD. True story. | | |
| ▲ | akerl_ a day ago | parent [-] | | What TLDs are today operated by non-profits? Looking at the list, I see a mix of commercial entities running them for profit and governments. | | |
| ▲ | otabdeveloper4 15 hours ago | parent [-] | | You don't actually need a non-profit TLD either. Having a healthy competitive market for DNS services is good enough. | | |
| ▲ | akerl_ 11 hours ago | parent [-] | | Really? If .com or .io or some other popular TLD starts acting maliciously, what’s the route to handling that problem? |
|
|
|
|
|
|
|
|
