[mrbluecoat]

> The internet was broken 25 years ago and is still broken 25 years later. Spoofed source IP addresses should not still be a problem in 2024, but the larger internet community seems completely unwilling to enforce any kind of rules or baseline security that would make the internet safer for everyone.

Same with spoofed MAC addresses, email addresses, ARP messages, Neighbor Discovery, MitM TLS certificates ... It's amazing anything works anymore :D

[colechristensen]

The thing is, obviously, that the Internet isn't broken, it has incredible utility and reliability. If it was designed and operated to be perfect, then it would likely be massively broken quite often. It is the tolerance for mild brokenness that has contributed significantly to its robustness and utility.

That isn't an argument for not improving things though, just a warning against perfection, if you chase it then you're liable to make really big mistakes that ruin everything.

[kombookcha]

Retaining functionality even in the face of mild-to-moderate borkedness is sorta the inciting goal for even making it in the first place, way back in the cold war days. Building on top of "How do we make a communications network that can handle a bunch of nukes" sets you up for a very resilient baseline :)

[alwayslikethis]

Spoofed MAC addresses is pretty essential for wifi privacy though.

[Dylan16807]

That depends on how you define "spoof".

You're not copying the MAC of someone else on the network.

[happyopossum]

Spoofed and Randomized are not the same thing. Spoofing implies you are deliberately copying another machine’s MAC address in order to appear as that machine to the network.

[MichaelZuo]

Yeah this seems more like a feature?

[neop1x]

There is a similar problem in cell phone networks (SS7) https://youtu.be/wVyu7NB7W6Y

[grotorea]

I'm starting to think if the Chinese had a point with their proposal to reform Internet protocols.

[timokoesters]

I often hear complaints about DNS. How secure is it in practice and why are there little efforts to fix it?

[fragmede]

Not especially, but most websites are protected by TLS, so the problem that DNS is insecure is less of a problem. It's mainly a coordination problem, you have up get a lot of people on board to design a new DNS-SECure, and then everyone would also have to adopt it. Which they did (create DNSSEC, that is), but it has not seen the desired adoption. The other one is DoH, DNS over https. It's not without issue either though. So there are efforts, it's just a hairy coordination problem.

[timokoesters]

For TLS certificates, the certificate authority has to look up IPs to verify the domain. So the security is still based on DNS, right?

[tptacek]

Security is based on a combination of:

* The integrity of registrar accounts that are the root of trust for most DNS zones (this was, last I checked, the overwhelming source of DNS corruption attacks),

* The security of one or more DNS lookups, depending (some CAs, like LetsEncrypt, do multi-perspective lookups), and

* The WebPKI Certificate Transparency system, which tracks the issuance of all certificates that Chrome and Mozilla will accept in a public ledger.

[dadrian]

Multi-perspective issuance corroboration is required starting in March of 2025 for CAs following the CAB/F Baseline Requirements

https://cabforum.org/working-groups/server/baseline-requirem...

[fragmede]

you can get certificates for an IP, but they're rare. How it generally works is the DNS server says Google.com is at w.x.y.z IP address, your browser talks to that, it gives you a certificate, (skipping a few cryptography steps for simplicity,) you computer checks the certificate coming from Google.com as being valid, without checking w.x.y.z, and then encrypts your connection and shows the green lock icon.

If the DNS server is bad, it'll return e.v.i.l as the IP, your browser will talk to that, but it can't give a certificate that your computer thinks is valid. so your protected from accidentally logging in to a fake bank website, but also you can't access the correct bank website, so there's still a denial of service problem.

The certificate authority (CA) that gives out the certificates has to verify you own the domain that you're asking for the certificate for. One method is to look up the IP, but as that's problematic if they get the wrong IP, they usually check that from multiple places all over the world.

[Asmod4n]

It’s quite sad the only mail server out there which checks if you are allowed to use a email address is exchange. With all others you can set the from: header however you like.

[salawat]

Who cares whether it's the MTA that does it or a collection of daemons invoked by the MTA? Just get things configured correctly, and you should be gold.

Now as far as every other mail operator setting up their stuff right such that From spoofing is no longer feasible, well... Can't help ya there. I don't run my email to make money, so the incentive to adopt pathological configs for the sake of maximizing the number of users/Domains who can send from one IP ain't there.