Ben Bucksch wrote:
(You *may* be thinking of DV (Domain Validation) and Class 1 SSL certs.
These are indeed insecure and make SSL a joke. They were a really bad
idea and that is one of the reasons behind EV.)
Well, even DV certs are supposed to be only issued to the person in
control of the domain. But I agree, another DNS attack at the time of
certificate issuance can, perhaps, cause verification emails to go
astray. Practice is not great in this area.
As far as a fix for DNS, everyone hates hearing it, but the fix is
already out there no one wants to use it though
http://www.dnssec.com
Oh, and I'm sure we're taking patches for DNSSec support in Firefox.
Aren't we?
Yes, and actually, SSL goes much further than DNSsec. The latter is good
to prevent DNS spoofs and is much-needed, but it does nothing to protect
the content.
Actually, you could protect the content by storing a certificate in a
DNS record, couldn't you?
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
