Today's attack on @myetherwallet (via BGP hijack of AWS name servers) proves beyond doubt that everyone should implement DNSSEC and HSTS asap!
DNSSEC = resolvers would deny fake records
HSTS = browsers would prevent users burning themselves from self-signed certs.
Requirement is a strong word. CAs implemented it incorrectly and browsers wouldn't enforce.
-
-
Root store programs could (by policy). Misbehaving CAs would get warned and eventually kicked out.
@mozilla could definitely do it. -
I was the person who argued on m.d.s.p. that Mozilla should enforce. They didn't.
End of conversation
New conversation -
-
-
A study of CAs from late last year tested 7 DV issuing CAs for CAA policy adherence. 0/7 issued for signed zones with wrong signature. 3/7 issued for signed zones with a full timeout on CAA query. As I understand it, those bugs were later fixed. https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/CAA%7Csort:date/mozilla.dev.security.policy/wbIAs--fslA/5QL8GvnPAAAJ …
-
I'm skeptical given the outcome of an earlier m.d.s.p. thread but I guess I'll need to test again to be sure.
End of conversation
New conversation -
-
-
As for browser enforcement, that would be inappropriate in CAA anyway. CAA was always specified as being relevant at time-of-issuance only, not that the records would or should continue to conform to the issued set of still valid certs.
-
Obviously, I meant policy enforcement, not technical.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.