This is why you don’t let your domain registration lapse. It’s not the only way computers on the internet verify each other’s identity, but a hell of a lot of internet security features are based around domain names, so keeping yours functioning is a very big deal.
Comment on Welp that answers a lot of why all .ml are down
db2@lemmy.one 1 year ago
This brings a disturbing thought to mind… if an instance domain name like foo.bar lapses and someone else snaps the domain up (or of it gets stolen) can the new controller plop Lemmy on a server and be instantly federated? If so what kind of damage could they do?
lolcatnip@reddthat.com 1 year ago
baascus@lemmy.world 1 year ago
Domain registration ≠ internet security. Root of trust is in cryptographic keys, not domains. DNS is not the security cornerstone you make it out to be. PKI says hi!
lolcatnip@reddthat.com 1 year ago
Email is tied to domains. TLS is tied to domains. CORS is tied to domains. OAuth is tied to domains. Those are just four things I can think of while half asleep. Here’s one recent example of how screwing up a domain name is enough by itself to cause a security breach.
Cryptography is not security any more than domain names are; both are facets of how security is implemented but there’s no one system that makes the Internet secure.
mle86@feddit.de 1 year ago
Yes, but it is very quick and cheap to get a domain validated cert from a CA that is generally trusted by most web browsers, so once the bad actor has the domain, the should be able to trick most users, only maybe certificate pinning might help, but that is not widely used.
hemmes@lemmy.world 1 year ago
ICANN has an Expired Registration Recovery Policy (ERRP) that requires your registrar to give your domain a 30-day grace period before deleting the records. ERRP also requires them to shutdown your DNS resolutions 8 days before deletion.
You’d have to be really mismanaging your domain if you miss all the required email reminders and don’t notice your domain has been non functional for a couple of days.
Wander@yiffit.net 1 year ago
No, the signatures wouldn’t match.
Saik0Shinigami@lemmy.saik0.com 1 year ago
That’s an assumption that lemmy will quit federating with a server that does not match.
And what signature are we talking about anyway? Is not certificates…
Wander@yiffit.net 1 year ago
Activitypub signatures that each user and group sends out their messages with.
priapus@sh.itjust.works 1 year ago
It’s not an assumption, it’s how activitypub works.