DNS-based Authentication of Named Entities

Dennis

Dennis

Verified User
Joined
Nov 13, 2004
Messages
106
Location
The Netherlands
Hello,

With all the problems around SSL-certificates (Comodo hack, DigiNotar hack and now GlobalSign) is there any news or thoughts about this "DNS-based Authentication of Named Entities" in DA?

Or is this a matter for the programmers of bind (named)?

Some extra info: https://wiki.mozilla.org/Security/DNSSEC-TLS-details

(I believe there are still some issues with this sort of auth and encryption...but like to hear your thoughts)

Regards,

Dennis
 
While DNS is quickly moving towards being able to certify that you've reached the correct IP#, there's no way to encrypt traffic between the visitor and the site using DNS. And there's no guarantee that DNSSEC won't eventually be hacked either.

I spoke to the CEO of Comodo while at the HostingCon conference and he verified for me my original assumption, that the Comodo Certificate was issued not because of any break in to any Comodo server, but rather because of a method Comodo used to use to approve Certificates issued to webhosting companies, allowing the webhosting companies to Certify the domain owner themselves. In fact, that was the reason for the outcry against them as a CA; not because they might have been hacked, but because their certification method was perceived as insecure. In fact Comodo no longer allows that kind of Certification.

I don't know anything about the DigiNotar hack.

I'm a direct partner of GlobalSign and I spoke to my representative there this morning. He directed me to the posts of the gent who says he's the hacker: http://pastebin.com/u/ComodoHacker

His posts don't really appear to have much substance.

My representative at GlobalSign told me that GlobalSign is searching their systems for any signs of breakins, but as of the time he spoke to me, approximately 13:00 (-0700), they hadn't found any evidence at all of a breakin, and the ComodoHacker posts offer no proof.

I'm sure DNSSEC will eventually be a part of the security we all offer, but only a part.

Jeff
 
Hi Jeff,

Thank you for the lots of (inside) info :)

The Dutch news / media can spread a lot of fear and they are yelling a lot. If they hear the word "hack" every alarm bell is ringing here because nobody at the media really understands the issues.

DigiNotar is a Dutch company like Comodo and GlobalSign which also "makes" certificates valid. But that company is declared "untrusted" because of poor networking and company policy. The whole government here has certificates through DigiNotar. Worst part of it all is that they have been hacked in 2007 and never said a word....

Anyway, thank you for the update. I have seen the post of the "hacker" and I also think it has not much substance.

Still we wait what will happen, at least they are thinking the whole SSL part over again.
 
You must log in or register to reply here.
Back
Top