| 1 |
On Mon, Jun 16, 2014 at 2:49 PM, Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
> The benefits of DNSSEC are debatable. We're moving the centralized trust |
| 3 |
> from one group of scumbags (the CAs) to another group of scumbags (the |
| 4 |
> registrars). So the benefits to authentication are not entirely clear-cut. |
| 5 |
> |
| 6 |
> But, DNSSEC will eventually allow us to do away with the SSL racket, and |
| 7 |
> that can only improve security through the widespread adoption of |
| 8 |
> encryption. So it's a good thing either way. |
| 9 |
|
| 10 |
While I agree with your concerns about trust, I think the good thing |
| 11 |
about DNSSEC is that you don't have to trust as many people. |
| 12 |
|
| 13 |
With the current SSL racket I need to trust all the folks in my |
| 14 |
browser's CA list to not mess with my connection. Any one of them has |
| 15 |
the power to spoof any website on the planet, and have you seen how |
| 16 |
long the list is? |
| 17 |
|
| 18 |
With DNSSEC the only person who can tamper with a connection is the |
| 19 |
domain owner, registrar, and TLD owner. So, while Verisign can tamper |
| 20 |
with a .com domain, they can't mess with a .uk domain, and at least |
| 21 |
the folks who buy a .com domain know who they're getting involved |
| 22 |
with. With SSL Verisign can spoof any domain there is anywhere, since |
| 23 |
the trust relationship in SSL is not limited to some domain. |
| 24 |
|
| 25 |
I'd like to see things improved further still, but DNSSEC is a big |
| 26 |
step in the right direction. |
| 27 |
|
| 28 |
Rich |
Archives