Hacker News new | past | comments | ask | show | jobs | submit login

If my DNS can be MITM'd, and is thus insecure, it is not trustworthy.



This sort of all-or-nothing thinking isn't helpful. DNS points you to a server, TLS certificates help you trust that you've arrived at the right place. It's not perfect, but we build very trustworthy systems on this foundation.


But DNS is all-or-nothing.

If you can't trust DNS, you can't trust TLS or anything downstream of it.

Even banks are not bothering with EV certificates any more, since browsers removed the indicator (for probably-good reasons). DV certificate issuance depends on trustworthy DNS.

Internet security is "good enough" for consumers, most of the time. That's "adequately trustworthy", but it's not "very trustworthy".


Bank websites like chase.com and hsbc.com and web services like google.com, amazon.com, and amazonaws.com intentionally avoid DNSSEC. I wouldn't consider those sites less than "very trustworthy" but my point is that "adequately trustworthy" is the goal. All-or-nothing thinking isn't how we build and secure systems.


I am definitely not arguing in favor of DNSSEC.

However, I don't think it's reasonable to call DNS, as a system, "very trustworthy".

"Well-secured" by active effort, and consequently "adequately trustworthy" for consumer ecommerce, sure.

But DNS is a systemic weak link in the chain of trust, and must be treated with extra caution for "actually secure" systems.

(E.g., for TLS and where possible, the standard way to remove the trust dependency on DNS is certificate pinning. This is common practice, because DNS is systemically not trustworthy!)


Is certificate pinning common? On the web we used to have HPKP, but that's obsolete and I didn't think it was replaced. I know pinning is common in mobile apps, but I've generally heard that's more to prevent end-user tampering than any actual distrust of the CAs/DNS.

I think you're "well-secured" comment is saying the same thing I am, with some disagreement about "adequate" vs "very". I don't spend any time worrying that my API calls to AWS or online banking transactions are insecure due to lack of DNSSEC, so the DNS+CA system feels "very" trustworthy to me, even outside ecommerce. The difference between "very" and "adequate" is sort of a moot point anyway: you're not getting extra points for superfluous security controls. There's lots of other things I worry about, though, because attackers are actually focusing their efforts there.


I agree that the semantics of "adequate" and "very" are moot.

As always, it ultimately depends on your threat profile, real or imagined.

Re: certificate pinning, it's common practice in the financial industry at least. It mitigates a few risks, of which I'd rate DNS compromise as more likely than a rogue CA or a persistent BGP hijack.


Certificate pinning is more or less dead. There are mobile apps that still do it, but most security engineers would say that's a mistake. WebPKI integrity is largely driven through CT now.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: