No! An attacker can use a weak alg even if you don’t. As long as those algs are supported at all it’s not a subset problem, it’s an everything problem.
Nope. It doesn't work, that's the truth. Once again: It doesn't protect the weakest link in the chain at all, and where it tries to, it gets the crypto wrong to the point that it's not secure. It also causes outages. None of this is a matter of opinion. There's not two sides.
-
-
You say that with conviction, but that does not make it any more true. A party that can subvert DNSSEC can subvert DV cert issuance, and can typically just seize the domain. DV certs are strictly weaker. To protect a *domain* you must rely on integrity of domain control
-
It doesn't make it any less true either! A local attacker on a user's network can subvert DNSSEC trivially, but they can't subvert a DV cert issuance. DV cert mis-issuance due to domain spoofing is basically unheard of, but CT logs are a great improvement that really nails it.
- 14 more replies
New conversation -
-
-
My comment about trade-offs may be confusing you: I wrote that DNSSEC might be ok as a harmless experiment to be ambivalent about if it didn't cause outages. I wasn't implying that it provided any useful security in a security vs availability trade-off. It doesn't.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.