[AusNOG] Lets Encrypt

Mark Andrews marka at isc.org
Wed Nov 19 15:42:27 EST 2014


In message <20141119032436.GU5614 at hezmatt.org>, Matt Palmer writes:
> On Wed, Nov 19, 2014 at 11:52:56AM +1100, Mark Andrews wrote:
> > 
> > In message <20141119001623.GT5614 at hezmatt.org>, Matt Palmer writes:
> > > On Wed, Nov 19, 2014 at 11:01:30AM +1100, Mark Andrews wrote:
> > > > 
> > > > In message <20141118234925.GS5614 at hezmatt.org>, Matt Palmer writes:
> > > > > On Wed, Nov 19, 2014 at 09:34:04AM +1000, Ernie wrote:
> > > > > > https://letsencrypt.org/
> > > > > > 
> > > > > > My question is, will this screw up companies like Verisign/Thawte 
> > > sales?
> > > > > 
> > > > > Not much, if any.  People who want cheap/free certs already, for the 
> > > most
> > > > > part, know where to get them from.  The more "premium" brands make 
> > > their
> > > > > money via the brand, offering insurance (as much of a crock as it is)
> ,
> > > > > higher-validation (OV/EV) certificates, and other signalling effects 
> > > that
> > > > > are unrelated to the *technical* product being offered.
> > > > > 
> > > > > That being said, Let's Encrypt is a *great* initiative, and I'm 100% 
> > > behind
> > > > > it.  Making certificate issuance easier (to the point of being 
> > > entirely
> > > > > automated) via the ACME protocol will massively reduce the barrier to
>  
> > > TLS
> > > > > deployment, which can only serve to benefit the confidentiality of 
> > > traffic
> > > > > on the Internet.
> > > > 
> > > > Or we could just deploy DANE and not require a CA to issue CERTs.
> > > 
> > > That'll always be the dream... given how much of a shitfight it is to get
> > > IPv6 deployed, when there's a real Oh Shit moment coming for IPv4, I have
>  
> > > my
> > > doubts that DNSSEC is ever going to really get the widespread deployment
> > > needed to make DANE practical.  Without it being something that servers 
> > > can
> > > roll out, clients won't support it (for example, the Chrome people aren't
> > > fans, for various understandable reasons), and so it goes nowhere.
> > 
> > DNSSEC is widely deployed at the root/tld level.  There are 749
> > zones with 557 secure delegations from the root zone.  569 TLD zones
> > have DNSKEY records.
> 
> That's not particularly helpful, though, since I rarely visit root/tld
> webservers, nor send them e-mail.

Actually it is extremely helpful.  That means there are 557 TLD's
in which you can but a zone and get a secure delegation.  That means
there are for the most part no barriers that individuals can't
influence in the way of deploying a TLSA record for the zone they
own.

> > Chrome is one web browser.
> 
> With over 10% market share.  The tickets for built-in DANE support in
> Firefox aren't exactly seeing a lot of love either, though.
> 
> >  There are plugins for DANE suppport for many browsers today.
> 
> Plugins -- not core to the browser.  So how do I avoid showing the "OMFG not
> trusted!" page to the 99%+ of users who don't have the plugin installed?

So don't start with web browsers for self signed certs.  Do it for
SMTP and STARTTLS where there isn't any real penetration of CA
CERTs.  There is no downside with doing it for SMTP.  SMTP servers
will either continue in the clear or do unverified STARTTLS (which
prevents casual snooping) if they don't support DANE.  If they do
support DANE then the M-I-M attacks no longer succeed and you no
longer have a snoopable SMTP session.

If you want to demonstate DANE in the browser you use it prevent
CERTs from rogue CA's being used to present a fake site.  ISC's web
site <https://www.isc.org> is secured in this way.  You get two
nice green icons if you use the plugin.  One for DNSSEC and one for
TLSA.

> > The only thing really stopping DANE deployment is nay sayers.
> 
> That's rather like saying that the only thing stopping FTL travel is the
> laws of physics.  It's a truism, and not helpful to point out.  Rather more
> useful would be to state *why* people are "saying nay" (apart from a
> prediliction for talking like a horse, perhaps) so that those problems can
> be worked on.

Like the nay sayers that said the root would never be signed, or
the nay sayer that said most tld operators won't deploy, or the nay
sayers that said that nobody will verify, or the nay sayers that
said registrars won't support DNSSEC, or ...

Guess what those nay sayers were proven wrong.  It's only a matter
of time to when DANE checking is ubiquitious.  It will end up being
something on by default.

> - Matt
> 
> -- 
> [On LDAP] "Lightweight my ass.  The fact that X.509 has the weight of an
> 18-wheel rig doesn't make a minivan something you shove in your backpack."
> 		-- Zed Pobre, ASR
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the AusNOG mailing list