Comment on Second set of eyes - DNS Nameservers
possiblylinux127@lemmy.zip 3 days agoWhat is the security benefit of DNSSEC?
It made more sense when everything was http now https is the norm is is less useful as far as I can tell.
Comment on Second set of eyes - DNS Nameservers
possiblylinux127@lemmy.zip 3 days agoWhat is the security benefit of DNSSEC?
It made more sense when everything was http now https is the norm is is less useful as far as I can tell.
dihutenosa@piefed.social 3 days ago
How could a hijacked DNS entry harm you?
- redirect to ads/spam
- downgrade to HTTP (no HSTS), then steal creds
- MitM the TOFU of SSH
- probably something more...
You can leverage the trust in DNSSEC to distribute TLS and SSH fingerprints too, look up DANE.
possiblylinux127@lemmy.zip 3 days ago
You can’t easy man in the middle authenticated protocols like SSH or HTTPS. If that was easy to do it would defeat the entire purpose of the TLS layer. Don’t take this the wrong way but this feels like a dated way of thinking. I think in the future it will way less of a problem since http is on its death bed.
dihutenosa@piefed.social 2 days ago
I'm not sure if I agree.
Unless you own a CA, or are a powerful country able to coerce a CA, or mandate installing one into users' PCs.
As for SSH - you missed the "TOFU" bit, Trust On First Use. Do you verify your SSH host keys every time before connecting to a new server? The docs for GitHub doesn't even mention it.
I partially agree - encryption appears to be a solved problem today. Key distribution, however is not, it's layers upon layers of half-solutions of wishful thinking, glued together with hope.
Depends on your threat model and priorities, right :) HPKP is helpful and does not require DNSSEC. DANE and CAA are helpful but require DNSSEC.