In my opinion, web browser extensions are not a viable way to deploy the solution to this problem. As far as I can tell, DNSChain has no buy in from web browser vendors. That makes it undeployable.
It is irrelevant (or not very relevant) that it would take less effort than CT for Google. What is relevant is that Google is willing to implement CT, and not willing to implement DNSChain. Yes, this has nothing to do with technical merit, but it has a lot to do with actual merit of the solution in improving the current situation.
> In my opinion, web browser extensions are not a viable way to deploy the solution to this problem. As far as I can tell, DNSChain has no buy in from web browser vendors. That makes it undeployable.
One of the reasons why browser vendors are having a tough time actually fixing this problem is because CAs make a lot of money off of selling SSL certificates.
We're working to remove obstacles out of their way by making it easier for them to support auth systems that do not rely on today's broken system.
> What is relevant is that Google is willing to implement CT, and not willing to implement DNSChain. Yes, this has nothing to do with technical merit, but it has a lot to do with actual merit of the solution in improving the current situation.
Google hasn't made up its mind on DNSChain-type solutions.
Remember, CT wouldn't have prevented this attack. If they actually want to prevent such attacks, they have no choice but to actually fix the problem.
It is irrelevant (or not very relevant) that it would take less effort than CT for Google. What is relevant is that Google is willing to implement CT, and not willing to implement DNSChain. Yes, this has nothing to do with technical merit, but it has a lot to do with actual merit of the solution in improving the current situation.