On Wednesday, April 25, 2018 at 3:48:07 PM UTC+2, Paul Wouters wrote: > On Wed, 25 Apr 2018, Ryan Hurst via dev-security-policy wrote: > > > Multiple perspectives is useful when relying on any insecure third-party > > resource; for example DNS or Whois. > > > > This is different than requiring multiple validations of different types; > > an attacker that is able to manipulate the DNS validation at the IP layer > > is also likely going to be able to do the same for HTTP and Whois. > > which is why in the near future we can hopefully use RDAP over TLS (RFC > 7481) instead of WHOIS, and of course since the near past, DNSSEC :) > > I'm not sure how useful it would be to have multiple network points for > ACME testing - it will just lead to the attackers doing more then one > BGP hijack at once. In the end, that's a numbers game with a bunch of > race conditions. But hey, it might lead to actual BGP security getting > deployed :) > > Paul
I agree moving away from WHOIS to RDAP over TLS is a good low hanging fruit mitigator once it is viable. Having been responsible for a very popular/mainstream DNS server and worked on implementing/deploying DNSSEC in enterprises I am of the opinion this is a lost cause and do not have the patience or energy to try to engage in all the reasons why this is not a viable solution. As for multi-perspective domain control validation and the idea that an attacker who can attack one perspective can attack all perspectives, that may be true but the larger your quorum set is the harder that becomes. The goal is not to make it impossible to cheat is not realistic, the goal is to raise the bar so that cheating is meaningfully harder. Ryan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
