I remain impressed that people who were up in arms about the Snowden revelations, or, just yesterday, about NSA stockpiling zero-days, could casually rationalize the largest transfer of control over the Internet to governments in the whole history of the net. COM, which is controlled by NSA), and we only get pinning's security with many more years of effort that haven't yet been sunk into DANE. IO away from its owners, and Google simply isn't going to move from.
We don't get consequences (you can't take. LY domain probably has TLS keys controlled by Libya, and, if we're very savvy, the knowledge that. With DNSSEC, we get the knowledge that a. One, by the way, that is probably already working today (CT also has some wins here). Even if 95% of users don't use browsers that reliably enforce pins, the 5% that do constitute a multi- million- node CA-forgery detection system. With key-pinning and standard TLS, we get transparency, a consequence for CAs who are subverted, and an Internet trust system that remains formally decoupled from government control. DNSSEC is an opportunity for a company like Cloudflare to make the case that they should manage your infrastructure, not you the more features like DNSSEC Cloudflare can find, the more market share they'll acquire.īut make no mistake: DNSSEC isn't about helping you with your security issues. It's understandable that Cloudflare would jump on DNSSEC: the protocol is famously annoying to deploy and has caused major outages, including breaking the first day of HBO Now across all of Comcast. DNSSEC is far less valuable than its proponents would like you to believe, and it comes at a significant cost to Internet trust: its real use case, that of replacing the CAs with DNS TLD operators, has the net effect of signing Internet cryptographic trust over to the world governments that control the most important TLDs. DNSSEC secures server-to-server DNS lookups, not the client-to-server lookups that your browser generates. DNSSEC ensures that a website’s traffic is safely directed to the correct servers, so that a connection to a website is not intercepted by a man-in-the-middle. If DNS is the phone book of the Internet, DNSSEC is the unspoofable caller ID.
0 kommentar(er)
