new | show | ask | jobs Github

indolering 4 hours ago

If DNS PKI is compromised, so is HTTPS. So yes, they would be scrambling too.

▲

tptacek 4 hours ago | parent [-]

This is obviously not true.

▲

indolering 3 hours ago | parent [-]

DNS is where domain name authority is delegated. Anything you build on top of that is also going to be a world of hurt if it gets compromised.

▲

akerl_ 3 hours ago | parent | next [-]

So why are we not constantly seeing real world compromises of major sites that don't use DNSSEC?

▲

gzread 44 minutes ago | parent [-]

Here's one: https://notes.valdikss.org.ru/jabber.ru-mitm/

	▲	akerl_ 27 minutes ago \| parent [-]
		I don't see any indication that DNSSEC would have been relevant there? Their assessment was that that interception (and certificate issuance) were completed by redirecting traffic for the legitimate IPs to another destination. The DNS records continued to work as expected.

▲

tptacek 3 hours ago | parent | prev [-]

You're doing a jazz-hands thing here where you equate a breach in DNSSEC (which virtually nobody uses), to a new susceptibility in the ordinary DNS (which everybody uses), such that an attacker could spoof arbitrary DNS lookups to arbitrary CAs. Obviously the two things aren't comparable.

When you make arguments like this, or the weird SSH argument you're making across the thread, or the weird "this would be good for Wikileaks" thing you did elsewhere, you clarify how tenuous your argument is. Remember, you're in the position of arguing that 95%+ of large site operators are wrong about this, and have been for decades, and you're the one who's right. That can definitely happen! But it's an extraordinary claim and your evidence thus far is pretty terrible.