Linked by Thom Holwerda on Mon 5th Sep 2011 22:26 UTC
Privacy, Security, Encryption So, people from within Iran have hacked the Dutch company DigiNotar, allowing them to issue fake certificates so they could listen in on Iranian dissidents and other organisation within Iran. This is a very simplified version of the story, since it's all quite complicated and I honestly don't even understand all of it. In any case, DigiNotar detected the intrusion July 19, but didn't really do anything with it until it all blew up in their face this past week. Now, the Dutch government has taken over operational management of DigiNotar... But as a Dutch citizen, that doesn't really fill me with confidence, because, well - whenever the Dutch government does anything even remotely related to IT technology, they mess it up. And mess it up bad.
Permalink for comment 488754
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

Lennie,

Wow thank you for the informative posts. Yes I am aware upgrades would be necessary and that DANE is one of the proposals.

I don't actually think it's that complicated, but then again I study this stuff closely.

"Many home users have a DSL-router that is not capable of handling DNSSEC. Operating systems like Windows XP do not support it."

Really? That'd be a surprise to me since DNSSEC is just the existence of more records on top of DNS. If DNSSEC doesn't work across a router, it implies that the router isn't truly compliant with the DNS protocol. Not to say it's untrue, but why would a manufacturer go out of their way to break their DNS stack like this?


"Also some people think DNSSEC is to much like a one-CA-system. For example if something breaks everyone will have problems:"

Well, the main difference would be that the root keys would not be vouching for people's identity, only vouching for the accuracy of the DNS database, which we already implicitly rely on for the web to work anyways.

From my understanding of DNSSEC, verisign has zone-signing keys for the .com domain (with a relatively brief lifetime), but someone else can hold the key-signing keys - so it would require attacks to be successful on two fronts (in other words a completely broken DNSSEC would still be no worse than today's DNS).

Personally I would have three independent DNSSEC key signing organizations with three master KSKs - and require that at least two of them agree in order for "verisign's" ZSK to be valid. Cryptography redundancy schemes like this are very secure in practice.


Edit: In case it wasn't clear, the intention of the 3 keys is that the corruption of one entity (say by the US government) is insufficient to corrupting the whole system.

We could make DNSSEC KSKs arbitrarily redundant: 7 KSKs world wide, and require that 4 of them agree on ZSKs in order to be valid.

Edited 2011-09-07 17:09 UTC

Reply Parent Score: 2