Hacker News new | ask | show | jobs
by fragmede 599 days ago
Not especially, but most websites are protected by TLS, so the problem that DNS is insecure is less of a problem. It's mainly a coordination problem, you have up get a lot of people on board to design a new DNS-SECure, and then everyone would also have to adopt it. Which they did (create DNSSEC, that is), but it has not seen the desired adoption. The other one is DoH, DNS over https. It's not without issue either though. So there are efforts, it's just a hairy coordination problem.
1 comments
timokoesters 599 days ago
For TLS certificates, the certificate authority has to look up IPs to verify the domain. So the security is still based on DNS, right?
link
tptacek 598 days ago
Security is based on a combination of:

* The integrity of registrar accounts that are the root of trust for most DNS zones (this was, last I checked, the overwhelming source of DNS corruption attacks),

* The security of one or more DNS lookups, depending (some CAs, like LetsEncrypt, do multi-perspective lookups), and

* The WebPKI Certificate Transparency system, which tracks the issuance of all certificates that Chrome and Mozilla will accept in a public ledger.

link
dadrian 597 days ago
Multi-perspective issuance corroboration is required starting in March of 2025 for CAs following the CAB/F Baseline Requirements

https://cabforum.org/working-groups/server/baseline-requirem...

link
fragmede 599 days ago
you can get certificates for an IP, but they're rare. How it generally works is the DNS server says Google.com is at w.x.y.z IP address, your browser talks to that, it gives you a certificate, (skipping a few cryptography steps for simplicity,) you computer checks the certificate coming from Google.com as being valid, without checking w.x.y.z, and then encrypts your connection and shows the green lock icon.

If the DNS server is bad, it'll return e.v.i.l as the IP, your browser will talk to that, but it can't give a certificate that your computer thinks is valid. so your protected from accidentally logging in to a fake bank website, but also you can't access the correct bank website, so there's still a denial of service problem.

The certificate authority (CA) that gives out the certificates has to verify you own the domain that you're asking for the certificate for. One method is to look up the IP, but as that's problematic if they get the wrong IP, they usually check that from multiple places all over the world.

link