Comment on Second set of eyes - DNS Nameservers
possiblylinux127@lemmy.zip 3 days agoYou can’t easy man in the middle authenticated protocols like SSH or HTTPS. If that was easy to do it would defeat the entire purpose of the TLS layer. Don’t take this the wrong way but this feels like a dated way of thinking. I think in the future it will way less of a problem since http is on its death bed.
dihutenosa@piefed.social 2 days ago
I'm not sure if I agree.
Unless you own a CA, or are a powerful country able to coerce a CA, or mandate installing one into users' PCs.
As for SSH - you missed the "TOFU" bit, Trust On First Use. Do you verify your SSH host keys every time before connecting to a new server? The docs for GitHub doesn't even mention it.
I partially agree - encryption appears to be a solved problem today. Key distribution, however is not, it's layers upon layers of half-solutions of wishful thinking, glued together with hope.
Depends on your threat model and priorities, right :) HPKP is helpful and does not require DNSSEC. DANE and CAA are helpful but require DNSSEC.