Alaric Dailey wrote:
Heikki Toivonen wrote:
Alaric Dailey wrote:
SSL for identification is worthless without DNS being secured, and
no-one on any list wants to talk about that.
I don't understand how you can claim this. SSL *is* the solution to
insecure DNS. Could you explain?
I must have been unclear... Let me try to clarify
DNS is insecure.
Because SSL relies on DNS, SSL assertions about the identity of a
website are.... less than reliable, No matter how thorough the
identity check.
You are still unclear. SSL certs - at least EV - state both the owner
and the domain name explicitly in the cert. The browser will check the
originally intended hostname (in <a href> or manually entered in URLbar)
against the domain name in the cert (this is a critical part and the
part you may be missing). *If* all the CAs properly verify the owner -
using paper, passport, signature, state records etc. -, only the owner
can offer a EV SLL enabled website under that domain name. If DNS
changes the IP address, the server redirected to won't have the private
key to a cert of that domain name, and won't be able to meet the SSL
challenge that the browser makes.
(You *may* be thinking of DV (Domain Validation) and Class 1 SSL certs.
These are indeed insecure and make SSL a joke. They were a really bad
idea and that is one of the reasons behind EV.)
Assuming no DV/Class1 crap, SSL indeed solves the insecure DNS problem,
as Heikki stated.
Therefore even if Verisign is issuing an EV cert for themselves, you
can not be assured that the cert hasn't been stolen and the DNS altered
Well, if the cert owner lets his cert being stolen, of course it's not
secure anymore. More generally, if an attacker breaks into the owner's
server or your own computer for that matter, all hope is lost, you can
circumvent *any* verification scheme then.
As far as a fix for DNS, everyone hates hearing it, but the fix is
already out there no one wants to use it though
http://www.dnssec.com
With that said, and realizing that DNS is only one issue
Yes, and actually, SSL goes much further than DNSsec. The latter is good
to prevent DNS spoofs and is much-needed, but it does nothing to protect
the content. Even if you're properly resolving to the right IP address,
nothing stops a MITM happening at your provider etc.. The provider has
full control over where the data streams go and can alter every bit.
With SSL, your browser will notice when content bits are altered or
coming from the wrong server. With DNSSec, only the hostname -> IP
resolution is secured, but not the actual IP path to the server at all.
Again, I agree that DNSSec should have been rolled out 5 years ago. But
SSL does a lot more than DNSSec.
the green-bar that IE gives (I have already ranted about how worthless
that is, and how the hype gives a completely false impression of security)
Most people here agree on that. EV is not the same as green bar.
I would much rather have more information about the existing certs ...
At very least this gives ME the chance to decide rather than giving me
a false sense of security.
You already have that info with Tools | Page Info (in Firefox; Seamonkey
in View menu IIRC), Security tab.
It may help you, *if* you understand the meaning of Classes, but it
won't help the average user at all.
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
