|
|
|
|
|
|
by theamk
1122 days ago
|
|
|
The important stuff is not just websites I host, but also websites I visit. And in all the scenarios you mention, I (and everyone else) would know that it happened very clearly, as it is basically denial of service attack. Even if this is a takeover event with almost-instantaneous replacement with the phishing page, the website owner would detect this and if the website is at least a bit popular, the news would definitely hit the HN top page :) For an example, sr.ht is hosted by Haitian TLD but has Let's Encrypt CA. Thanks to CT logs, I trust that the connections are secure, and when I download software from it I am getting it from the rightful place. (Or not getting this at all because website is down. That's a nature of the web, things break) But with DNSSEC? No assurances at all. Owner of .ha can be coerced or bribed by $(your least favorite nation) and this may never be detected, especially if this is a targeted attack to specific addresses. And even if detected, there will _still_ be people saying, "hopefully this does not affect me, I won't move domains and risk my search traffic". And that's the reason that DNSSEC scares me and WebPKI does not. |
|
|
Not only is your claim obviously not true in principle, we know it's not true in practice, disrupted DNS causes real issuances which are let's say... suspicious. They're not mis-issuance under current policy because the Web PKI trusts the DNS, but they would trigger exactly the scenario you believe can't happen.