7 comments

[ 5.2 ms ] story [ 27.8 ms ] thread
There's a few things I believe would really help getting DANE rolled out.

As far as I know, there's really no "out of the box" validation for end users. The web browsers will have to make the validation, or failed validation, visible for people to care enough to implement it.

Although DNSSEC is becoming more and more commonplace, it still seems that in a lot of places, you'll have to throw up your own DNS-server to be able to use it. Make it simpler to implement, and you'll probably see a lot more people starting to use it.

Also, just to clarify, DANE doesn't _solve_ the CA-problem. You're now putting all your trust into it being hard to both issue a valid certificate and compromise the DNS chain.

It would solve the problem partially. Currently, every trusted CA can issue a certificate for any domain. Registries would be limited to tampering with the TLDs they control.

You wouldn't need to worry that DigiNotar or China Internet Network Information Center start issuing certs for your domain unless you're using .nl or .cn. The TLD itself would be a visible indicator of how much trust a user should offer.

Absolutely. I would be a huge improvement.

I'm thinking more in the lines of stopping three-letter agencies from doing MITM. I don't know if it's actually possible to prove the integrity of the root nodes.

I have some 'outdated' and 'obsolete crypto' warning in chrome, about their certificate. I am using Chrome 42.0.2311.135 on Windows 7.

Here is the message: https://i.imgur.com/SnMQWU9.png

Compared to HN : https://i.imgur.com/5iphbCq.png

For a 'super secure' email, this sounds strange ? Why are they using an insecure and obsolete key exchange mechanizm ?

When I test it, it looks all good. Have you visited the website before? Possibly your browser has cached an old version of their certificate.
Depends on your threat model. If you're afraid of somebody snooping on your wifi, TLS alone is sufficient. If you're afraid of government surveillance, DANE is useless because it's relying on DNSSEC, which has a government backdoor by design.