[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5268BE48.80108@wenks.ch>
Date: Thu, 24 Oct 2013 08:29:28 +0200
From: Fabian Wenk <fabian@...ks.ch>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Slightly OT: What SSL cert do you consider
strongest?
Hello Alex
On 24.10.2013 08:08, Alex wrote:
> Maybe adding the key or at least hash of it to DNS would help against mitm
> attacks. Has anyone thought of it before? Google doesn't give me useful
This is exactly what the DANE entries do, as I have noted in my
post. Here is a sample output:
$ dig +short +dnssec tlsa _443._tcp.secure.wenks.ch
1 0 1 4F2F33286C934C2A46523457D10A387D133FD7C228AC27DD35D92DBC
45C27BEE
TLSA 8 5 3600 20131104014828 20131005011656 38088 wenks.ch.
e4qa1YgjN/CxHycEeNBnc0xsUSeOYEOTP+qdvhJrlWZgV1RwLZ2srFl0
QpW2WbJi0Jb2UNAP0GSJY4/IVehpad/+c5dHD09kERAo6bJ2uRieqfTB
ixmxEs43nFDSDgxf5jBDYj8NIkscFpf8swRoCosXhY4URbCpuqqWdQiM
R34m1vr4cdF9Y2vJJB5PCMJ01g4yTOenRDlR/nZcJXHV25MRyYg2mW0J
LlA/X92FWVZd5jWRLmn9LmPLqCkleLIdC8XMtfav9/XSD+0qZiIw7pfh
gYJUY4k92LhTPh4rUYB8rtr2/ieIl2+erUVXyur1edWZ7VsFodJSo4C9 SUbayA==
This is the DANE entry in the DNSSEC signed zone for the HTTPS
website at the hostname secure.wenks.ch. Other variants are
possible with e.g. containing the whole certificate, could be
usefull for self-signed certificates. Will not work now, but
probably in the future, as the browsers do not support DANE yet.
> hits. The same system is used in SSH. Even governments would have problems
> if the NS are for different TLD ...
To really be useful the zone needs to be signed with DNSSEC and
also the client must use DNSSEC when resolving. Else MITM is
still possible.
bye
Fabian
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists