Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No, I'm saying it doesn't serve a real purpose. I've spent 30 years doing security work professionally and one of the basic things I've come to understand is that security is at bottom an economic problem. The job of the defender is to asymmetrically raise costs for attackers. Look at how DNS zones and certificates are hijacked today. You are proposing to drastically raise defender costs in a way that doesn't significantly alter attacker costs, because they aren't in the main using the exotic attack you're fixated on.

If we really wanted to address this particular attack vector in a decisive way, we'd move away, at the CA level, from relying on the DNS protocol browsers use to look up hostnames altogether, and replace it with direct attestation from registrars, which could be made _arbitrarily_ secure without the weird gesticulations DNSSEC makes to simultaneously serve mass lookups from browsers and this CA use case.

But this isn't about real threat models. It's about a tiny minority of technologists having a parasocial relationship with an obsolete protocol.



[flagged]


Are you claiming that most DNS zone hijacks occur because an on-path attacker intercepts and spoofs replies to DNS queries? That's not the case.


What would be the most common method of DNS zone hijacks, Kaminsky attacks?


No, to a first approximation those attacks ~never happen. Most zones are hijacked by ATOs at registrars.


I never said "most". I said it happens and is documented.


I'm pretty satisfied with how this part of the thread represents this part of my argument.


yeah, the same for the rest. your fanboys are happy and the rest is just tired, because everyone who does not share your point of view has a invalid opinion.


We could live in a world where they don't exist and the vast majority of major financial institutions still wouldn't implement DNSSEC.

https://dnsinstitute.com/research/2020/banks-dnssec-202010.h...

You don't have to like, or agree with anyone. The data tells its own story.


[flagged]


>It’s full of rhetoric and bluster, appeals to authority and dismissal of arguments not from what he considers an authority, and when he runs out of arguments entirely, he stops responding.

Or his broken record commentary on how Signal absolutely needs to ask people for their mobile phone numbers in order to at all be able to provide a functional service, and how doing so does not at all provide Signal with a highly valuable social network map. Exact same story as soon as the arguments are dismantled.


I hope the facts speak for themselves.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: