From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Sun, 24 Jan 2010 09:57:44 -0500 To: 9fans@9fans.net Message-ID: In-Reply-To: References: <4B57048D.6040002@maht0x0r.net> <4f34febc1001231559s3ffb6037o2a193bf4689b961@mail.gmail.com> <8094c7f53bad7b2e0bed09ec4bfd41dc@ladd.quanstro.net> <40f353c957e2ac20128c149f8bb178aa@ladd.quanstro.net> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Are we ready for DNSSEC ? Topicbox-Message-UUID: c5d916a8-ead5-11e9-9d60-3106f5b1d025 On Sun Jan 24 08:21:50 EST 2010, 23hiro@googlemail.com wrote: > so you need to have a more "secure" dns because you don't trust your ssl? do you feel dnssec provides the same or worse security? why? the simple answer to your question is yes. the renegotiation bug in ssl requires you to start talking to the wrong server. (this attack wouldn't be necessary if you're attacker is behind the ssl termination pts.) a similar attack could work against imperfect certificate checking. since the easiest way to get someone to the wrong place is to give them the wrong address, i think a more secure dns helps. as to fixing the renegotiation bug by turning it off: do you feel confident that you know how to do this (is it possible) with every bit of ssl-capable equipment you own? i don't. i also don't think it's the only attack than can be facilitated by first owning dns. more food for thought. the ca chains just aren't that well-verified. it was easy enough to get a bogus microsoft certificate a few years back. if you can own dns, and get a bogus bigco.com cert, you're in business. - erik