I haven't found the article with 150,- $, yet, but this isn't good either:
https://www.bankinfosecurity.com/study-finds-custom-market-for-bogus-tls-certificates-a-10680 and Mozilla makes it worse: https://blog.mozilla.org/security/2018/10/10/delaying-further-symantec-tls-certificate-distrust/ Am 16.10.18 um 16:06 schrieb Ted Lemon:
Can you provide a citation for that statement? Not doubting you, particularly, but this is news to me, and probably to some others on this list, if true. On Tue, Oct 16, 2018 at 4:01 PM Rene 'Renne' Bartsch, B.Sc. Informatics <ietf=40bartschnet...@dmarc.ietf.org <mailto:40bartschnet...@dmarc.ietf.org>> wrote: Unjust certificates can be bought for 150,- $ in the darknet which makes TLS snake-oil. And you never know if the internet provider is hostile or hacked. So we should act in the favor of end-users. If we don't have the position to make DANE mandatory, yet, we should at least try to encourage browser vendors to support DANE. Just think about all the online-banking websites without DNSSEC/DANE protection. Am 15.10.18 um 22:49 schrieb Viktor Dukhovni: > Though I am generally an advocate for DANE, and have done much work to > further its adoption, this is not a realistic proposal. DANE adoption > in TLS will be incremental and will not be accomplished via a mandate. > >> On Oct 15, 2018, at 4:20 PM, Rene 'Renne' Bartsch, B.Sc. Informatics <ietf=40bartschnet...@dmarc.ietf.org <mailto:40bartschnet...@dmarc.ietf.org>> wrote: >> >> TLS is prone to Man-In-The-Middle attacks with unjustly obtained intermediate certificates (e.g. firewall appliances). >> The DNSSEC KSK-rollover worked like a charm. >> >> So I suggest to make DANE-TLS mandatory for TLS to prevent Man-In-The-Middle attacks with unjustly obtained intermediate certificates. > > If you want to see more DANE deployment, work on tooling to ease > DNSSEC deployment, convince registries to support CDS and CDS0, > simplify zone signing and key rollover interfaces in nameserver > implementations, develop monitoring tools, ... Get efforts to > improve the tools funded, ... > > There is much work to be done, before we can expect ubiquitous > DNSSEC support, let alone DANE. DNSSEC deployment is concentrated > at domains hosted by providers who have invested in automating it. > To bring it to the masses, it must be something that works out of > the box. > > Until then it should be possible to use DNSSEC and DANE with TLS, > but we're quite far from being in a position to mandate their use. > _______________________________________________ TLS mailing list TLS@ietf.org <mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
