Can We Fix SSL Certification?

← Back to Stories (view on slashdot.org)

Can We Fix SSL Certification?

Posted by Unknown on Tuesday August 16, 2011 @07:03AM from the security-through-insecurity dept.

Em Adespoton writes "At DEFCON this year, Moxie Marlinspike gave an excellent presentation showing how broken the current SSL certification model is and proposing a replacement. Naked Security adds to the issue, asking: does it even matter if you can trust your certificate notaries?"

5 of 249 comments (clear)

Min score:

Reason:

Sort:

Distribute Certificates via DNS (using DNSSEC)? by SmilingBoy · 2011-08-16 07:18 · Score: 4, Insightful

Wouldn't it be possible to verify the certificates via the DNS? Once that is secured with DNSSEC, this should be a very good solution. Or am I missing something?
1. Re:Distribute Certificates via DNS (using DNSSEC)? by vlm · 2011-08-16 07:24 · Score: 4, Insightful
  
  Wouldn't it be possible to verify the certificates via the DNS? Once that is secured with DNSSEC, this should be a very good solution. Or am I missing something?
  That DNSSEC is even worse of a single point of failure than SSL. Same type/class of problem, just worse.
  If you thought the SSL providers were shady, you'll think them heroic princes of justice once you start dealing with DNS registrars.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
2. Re:Distribute Certificates via DNS (using DNSSEC)? by AceJohnny · 2011-08-16 07:53 · Score: 3, Informative
  
  Moxie Marlinspike, the author of Convergence mentioned in TFA, addressed that very problem in a post. Long story short: a DNSSEC system would worsen the rigidity and centralization of the current CA system.
  
  --
  Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
Re:No by amorsen · 2011-08-16 08:32 · Score: 3, Insightful

You can only trust what you can see with your own eyes; trust does not inherit, plain and simple. Any system that relies on inherited trust is broken before it starts.
Our whole society is reliant on inherited trust. Feel free to try to escape from it.

--
Finally! A year of moderation! Ready for 2019?
RFC 4398 by tepples · 2011-08-16 09:11 · Score: 3, Informative

The DNSSEC layer only verifies no one has altered the port 53 packets. [...] SSL layer encrypts the whole data stream.
Then use them together. Have each domain owner run his own CA and use an RFC 4398 resource record to put the certificate for that in DNS. If a TLS connection's certificate chain ends up at an untrusted certificate, the browser would fetch a CERT RR for the domain and treat the result as a domain-validated intermediate CA certificate signed by the DNSSEC root.