Today's attack on @myetherwallet (via BGP hijack of AWS name servers) proves beyond doubt that everyone should implement DNSSEC and HSTS asap!
DNSSEC = resolvers would deny fake records
HSTS = browsers would prevent users burning themselves from self-signed certs.
-
Show this thread
-
For people suggesting that
@letsencrypt would issue a cert. No. Their resolver is DNSSEC-validating, resolution would fail and Let's Encrypt would deny certificate issuance.3 replies 3 retweets 18 likesShow this thread -
And what about the other 100+ organizations capable of issuing publicly-trusted certificates? There is no requirement to validate DNSSEC when doing domain validation.
2 replies 0 retweets 0 likes -
I believe there's a requirement to consider DNSSEC in the checking of the CAA records (including for non-existence of any CAA record of relevance) in the presence of the DS anchors. SERVFAIL return on CAA record query blocks further validation.
1 reply 0 retweets 0 likes -
Replying to @mdhardeman @epatryk and
Requirement is a strong word. CAs implemented it incorrectly and browsers wouldn't enforce.
3 replies 0 retweets 0 likes -
Replying to @__agwa @mdhardeman and
Root store programs could (by policy). Misbehaving CAs would get warned and eventually kicked out.
@mozilla could definitely do it.1 reply 0 retweets 0 likes
I was the person who argued on m.d.s.p. that Mozilla should enforce. They didn't.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.