Site not dnssec signed


#1

you gotta love that this site is not dnssec signed. come on, folk. eat own dogfood.


#2

What does dnssec have to do with SSL?


#3

with DNSSec and TLSA (aka DANE) you can make HTTPS certs a lot safer since HPKP requires you to have visited the site at least once while DANE works immediately with everything that supports DNSSec (and it even gives you the ability to use your own self-signed cert or an own CA making the classic CA model close to unnessecary)


#4

as i am trying to be optimistic about LE’s model, i see DNSsec/TLSA as belt and braces.


#5

I dont exactly get what you mean but TLSA has the benefit that it almost completely defeats any rogue CAs or any lost CA keys or whataever might have happened with DigiNotar.
if everyone would have use an own cert that is located at the DNSSec then mo CA can do SSL for the target site.


#6

“Belt and braces” is a synonym for “belt and suspenders” and it means using a redundant precaution for safety purposes.


#7

but well there were incidents like DigiNotar and there was even a case where a “test” certificate for google was made by some symantec (aka verisign) employees so there must be some way around and as I said HPKP can not help if the user wasnt there before, also as I said using Domain issued certs or trust anchor assertion you can use a self signed cert or even an own CA (well obviously you have to be careful with that. I will try to make my own CA for now on my raspi and all PCs that shall be able to issue something get an intermediate)


#8

IMHO, DNSSEC complements and improves security. Or rather, having DNSSEC both used widely AND implemented in the browsers (and other apps) would at least partially make CAs superfluous … in combination WITH signed certificates, it makes MITM attacks so much harder, as an attacker would have to fake both the certificate/key combination, AND the DNS chain … good luck doing that, even if you are a government …