Date: Fri, 17 Oct 2014 16:41:33 -0700 From: Tim <tim-security@...tinelchicken.org> To: oss-security@...ts.openwall.com Subject: Re: attacking hsts through ntp Hi Phil, > That's called "DANE" and it uses TLSA records in DNS. It's slowly > bootstrapping into use in SMTP and server-server XMPP as an > opportunistic TLS latch, providing the correct trust anchors too. > > Various feature-request bugs against browsers have eventually gotten > closed as will-not-fix or equivalent, because verified DNSSEC is not > seen as something which is likely to be widely deployed in clients; > there's a chicken/egg problem here. > > By contrast, servers are more likely to be placed with care and > attention to DNS resolution, so someone running an SMTP or XMPP server > who wants to use DANE can fix their DNS setup, once. So it's seeing > more use there. Postfix has DANE support; Exim has it as an > experimental feature (which just means that the API might change); the > Prosody XMPP client can be set up to use DANE. > > (For clarity: the server/receiver side of any connection requires no > code changes to support DANE, although having SNI support probably > helps; the initiator which verifies the peer is the only one which needs > changes, but they're currently ugly ones). Sure, I read up on this a while ago, but wasn't sure if it was catching on. Thanks for the update. > You're ignoring the attack vectors against DNSSEC. Yes, true, but this is no different than the current situation with TLS. Why bother subverting DNSSEC in order to remove HSTS-like controls, and then downgrade from HTTPS->HTTP in order to get at the traffic, when you can just get at the TLS traffic directly by subverting that PKI? In order to address the nation-state scenario, I think we need the ability to apply multiple signatures to the same server key. If a CA in Israel and a CA in Iran both signed the same key, what are the chances of collusion? One way to achieve multiple signatures would be to leverage DNSSEC and stuff fingerprints in signed DNS records, leveraging two separate PKIs for the same TLS keys. I'd be interested to know if you know of any attempts to do this already. cheers, tim
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.