[Discuss] free SSL certs from the EFF
Richard Pieri
richard.pieri at gmail.com
Sun Dec 7 14:57:45 EST 2014
On 12/7/2014 2:02 PM, Bill Horne wrote:
> Of course, theory and practice often differ in security, and we've all
> met mister "JustDoItOrYou'reFired" who likes to tell us to break the
> rules, but that isn't a technical problem. A well designed security
> suite will give Joe the option of sending his reports by encrypting them
> first with a few key clicks.
Therein lies what I consider to be the most egregious flaw in DNSSEC
from an end user's perspective: no choice. Joe has no choice but to use
it and accept that he can't work at all when it comes under attack
assuming DNSSEC is being enforced which is contrary to DNSSEC mandatory
requirements but that's a tangent. I'm not saying that DNSSEC is flawed
(well, I think it is, but that's another tangent). I'm saying that
DNSSEC is not an end user's tool and that you're going to experience
serious problems if you try to use it as one.
In my opinion, a well-designed -- that is, well-designed for end users
-- secure DNS system should provide reliable, authenticated answers
despite attacks made against the system. DNSSEC does not do this. It
doesn't try because, like I wrote way back at the start of all this,
it's a last hop issue that lies outside of the scope of DNSSEC.
A few days ago Ed posited that we'll get there someday. Truth is, we've
been there for some time. With DNSCurve and DNSCrypt we have exactly the
kinds of encrypted DNS service that he called for. Why haven't they been
widely adopted? I figure it's a "Paul Vixie, yes! DJB, no!" issue.
--
Rich P.
More information about the Discuss
mailing list