Hacker News new | past | comments | ask | show | jobs | submit login

Perseids made his counter-arguments clear in many places on this page, but your comment allows me to summarize.

> If the CA signature means anything, you don't need DNSSEC.

If DNSSEC is fully deployed and supported, you don't need CAs.

> If it doesn't, you've given control over the certificate to Libya.

If it (DNSSEC) isn't, you've given control over the certificate to any trusted CA in the world.

> It is easier to see the problem when you look at the real issue, which is that the NSA controls both the CA hierarchy and .COM.

Neither DNSSEC nor the CA system can prevent the NSA from doing their evil stuff.




The problem with the CA system is that it fails to resist nation-state attacks. DNSSEC not only has that problem, it has it by design. That's the point made by the post. All you've done is restate it.


You are right, so let me sum up:

Centralized architecture leaves DNSSEC vulnerable to nation-state attacks. This is by design.

Decentralized architecture leaves the CA system vulnerable to attacks coming from any trusted CA. This is by design.

National Security Letters (and their non-US equivalents) leave the CA system vulnerable to nation-state attacks.

DNSSEC 2 - 1 CAs


I think the point is that once we hve DNSSEC, we have no way around. With the CA system there is lots of room to improve on it, without more centralisation.

Im not a expert but thats my take so far.


We've had CAs for two decades already and they haven't improved much, why would their third decade be different?


The demand for change is growing and many project working on this show this. There is lots going on, much more then I can see going on in the DNS space. People are deploying more and more https and browser vendors, research and the open source community are working on it.

Project like Lets Encrpyt, CertCA on the CA side. Certificate Transparency on the standard side. Inside of the Browser you have HTTPS Everywhere, SSL Overservatory and things like Convergence.

Are this many people working on activlly innovating on DNSSEC and DANE? If they exists, I dont see them.

Also, even if they exists, once the system is centralised, its almost impossible to move it forward. In the CA system, I as a individuall can do more for my own security.


Why is DNSSEC not vulnerable to NSLs?


I am distinguishing on the attacker, not the means. Sorry if that was not clear.

Of course DNSSEC is vulnerable to NSLs, but that is not relevant. What is relevant is:

- DNSSEC is vulnerable to nation-state attacks.

- The CA system is vulnerable to nation-state attacks.

- The CA system is vulnerable to attacks from any CA.


Missing points:

- I, as a user, have mean to circumvent or mitigate CA issues (using certificate patrol as one possibility, certificate pinning as another,...)

- There is no user work around for the DNSSEC vulnerabilities

Furthermore, I'd guess that the majority of CA attacks are nation-state attacks so that both boil down to the same. I don't know of any criminal attacks (such as attacks on online banking) on the CA's. Conclusion: I, as a user, don't gain anything from DNSSEC.


It obviously is vulnerable.


An NSL is secret, right? Some nation-states have the power to compel changes to the root zone, but none have the ability to do it in secret.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: