There's a few things I believe would really help getting DANE rolled out.
As far as I know, there's really no "out of the box" validation for end users. The web browsers will have to make the validation, or failed validation, visible for people to care enough to implement it.
Although DNSSEC is becoming more and more commonplace, it still seems that in a lot of places, you'll have to throw up your own DNS-server to be able to use it. Make it simpler to implement, and you'll probably see a lot more people starting to use it.
Also, just to clarify, DANE doesn't _solve_ the CA-problem. You're now putting all your trust into it being hard to both issue a valid certificate and compromise the DNS chain.
It would solve the problem partially. Currently, every trusted CA can issue a certificate for any domain. Registries would be limited to tampering with the TLDs they control.
You wouldn't need to worry that DigiNotar or China Internet Network Information Center start issuing certs for your domain unless you're using .nl or .cn. The TLD itself would be a visible indicator of how much trust a user should offer.
I'm thinking more in the lines of stopping three-letter agencies from doing MITM. I don't know if it's actually possible to prove the integrity of the root nodes.
Depends on your threat model. If you're afraid of somebody snooping on your wifi, TLS alone is sufficient. If you're afraid of government surveillance, DANE is useless because it's relying on DNSSEC, which has a government backdoor by design.
7 comments
[ 5.2 ms ] story [ 27.8 ms ] threadAs far as I know, there's really no "out of the box" validation for end users. The web browsers will have to make the validation, or failed validation, visible for people to care enough to implement it.
Although DNSSEC is becoming more and more commonplace, it still seems that in a lot of places, you'll have to throw up your own DNS-server to be able to use it. Make it simpler to implement, and you'll probably see a lot more people starting to use it.
Also, just to clarify, DANE doesn't _solve_ the CA-problem. You're now putting all your trust into it being hard to both issue a valid certificate and compromise the DNS chain.
You wouldn't need to worry that DigiNotar or China Internet Network Information Center start issuing certs for your domain unless you're using .nl or .cn. The TLD itself would be a visible indicator of how much trust a user should offer.
I'm thinking more in the lines of stopping three-letter agencies from doing MITM. I don't know if it's actually possible to prove the integrity of the root nodes.
Here is the message: https://i.imgur.com/SnMQWU9.png
Compared to HN : https://i.imgur.com/5iphbCq.png
For a 'super secure' email, this sounds strange ? Why are they using an insecure and obsolete key exchange mechanizm ?
[0]: http://shaaaaaaaaaaaaa.com/