Today's attack on @myetherwallet (via BGP hijack of AWS name servers) proves beyond doubt that everyone should implement DNSSEC and HSTS asap!
DNSSEC = resolvers would deny fake records
HSTS = browsers would prevent users burning themselves from self-signed certs.
-
Show this thread
-
For people suggesting that
@letsencrypt would issue a cert. No. Their resolver is DNSSEC-validating, resolution would fail and Let's Encrypt would deny certificate issuance.3 replies 3 retweets 18 likesShow this thread -
And what about the other 100+ organizations capable of issuing publicly-trusted certificates? There is no requirement to validate DNSSEC when doing domain validation.
2 replies 0 retweets 0 likes -
I believe there's a requirement to consider DNSSEC in the checking of the CAA records (including for non-existence of any CAA record of relevance) in the presence of the DS anchors. SERVFAIL return on CAA record query blocks further validation.
1 reply 0 retweets 0 likes -
Replying to @mdhardeman @epatryk and
Requirement is a strong word. CAs implemented it incorrectly and browsers wouldn't enforce.
3 replies 0 retweets 0 likes -
A study of CAs from late last year tested 7 DV issuing CAs for CAA policy adherence. 0/7 issued for signed zones with wrong signature. 3/7 issued for signed zones with a full timeout on CAA query. As I understand it, those bugs were later fixed. https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/CAA%7Csort:date/mozilla.dev.security.policy/wbIAs--fslA/5QL8GvnPAAAJ …
1 reply 0 retweets 0 likes
I'm skeptical given the outcome of an earlier m.d.s.p. thread but I guess I'll need to test again to be sure.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.