This is a pretty big deal, not so much that a few crypto currency users got robbed, but as a reminder that HTTPS doesn't defend against sustained global DNS hijackshttps://twitter.com/GossiTheDog/status/988816808563093504?s=19 …
BGP obviously needs to be deprecated in favor of an authenticated (via PKI) version of it.
-
-
This also shows some of the importance of DNSSEC. I don't think you could get a false cert with DNSSEC. (unless some CAs don't check that) Shame end user DNSSEC adoption is miniscule.
-
DNSSEC solves some (but not all) of this problems with the trade-off of introducing lots of new problems and making other weaknesses much worse. (see also: https://sockpuppet.org/blog/2015/01/15/against-dnssec/ …)
-
I'm not sure that's a good source: it starts off with "DNSSEC doesn't solve any problems because it doesn't solve the following problems" and then goes on to "DNSSEC does the following thing that it doesn't"
-
The actual problems pointed out in there are valid, but some of its critiques are more or less irrelevant (really, bringing up DANE as a criticism of DNSSEC?)
-
Relevant issues I see from there: weak crypto, hard to adopt, offers significant footguns. Irrelevant: the rest of that article.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.