Comment on EU Article 45 requires that browsers trust certificate authorities appointed by governments
Slotos@feddit.nl 7 months agoI described a route to spoof DNS root authority that Russia and China can use already. Single root is not an advantage, it’s merely a different kind of implementation with different attack vectors.
When it comes to security, it is better to have multiple different implementations coalesce at a point of service delivery, than have a single source of truth. If everything is delivered via DNS, there’s your tasty target for a capable adversary. If there are multiple verification mechanisms, it’s easier to tailor an attack for a specific target.
I want cryptographic infrastructure I rely on to be the last resort for anyone capable of dealing with it.
uis@lemmy.world 7 months ago
This is not what they are doing. They cannot spoof root authority because they don’t have private keys. They send unsigned replies which clients with DNSSEC will reject and client without will show blocked banner.
As I said this news again brought up problem of CAs capable of signing any certificate in any domain. You need only one of 142 private to spoof any certificate. And as I already said, CAs already need to trust DNS. So right now we are in position, where we should trust that DNS and all 142 CAs aren’t lying. If any of those 143 enities lie, all that (in)security breaks.