Hacker News new | ask | show | jobs
by donpdonp 198 days ago
it seems like all this infrastructure could be replaced by a DNS TXT record with a public key that browsers could use to check the cert sent from the web server. A web server would load a self-signed cert (or whatever cert they wanted), and put the cert's public key into a DNS record for that hostname. Every visit to a website would need two lookups, one for address and one for key. It puts control back into the hands of the domain owners and eliminates the need for letsencrypt.
3 comments
akovaski 198 days ago
I'm not sure what that would solve. You would still need some central entity to sign the DNS TXT record, to ensure that the HTTPS client does not use a tampered DNS TXT record.
link
tzs 198 days ago
If someone can tamper with your DNS TXT records now they can get a certificate for your domain.
link
franga2000 198 days ago
Not tamper with the record directly, but MitM it on the way to a target.
link
ishouldbework 198 days ago
That should be prevented by dnssec no?
link
tptacek 198 days ago
Depends on who your adversary is. If it's your ISP: no, DNSSEC doesn't prevent that (in every mainstream deployment scenario, your upstream DNS recursive server is the only thing really doing DNSSEC validation).
link
crote 198 days ago
That's what DNSSEC is for.
link
franga2000 198 days ago
Yes, but that's just PKI again, which is what the OP was trying to avoid.
link
arp242 198 days ago
That's already the case with dns-01 verification, no?

Besides, if someone has access to your TXT records then chances are they can also change A records, and you've lost already.

link
ryangibb 198 days ago
E.g. DNS-Based Authentication of Named Entities? https://www.rfc-editor.org/rfc/rfc6698

There's a TLSA resource record for certificates instead of a TXT encoding.

As far as I know no major browser supports it, and adoption is hindered by DNSSEC adoption.

link
pennomi 198 days ago
Ah but then how would nations spy on people by compromising the root certificate?
link
pgporada 198 days ago
You're insinuating that the Let's Encrypt roots are compromised?

https://letsencrypt.org/repository/#isrg-legal-transparency-...

link
pennomi 198 days ago
No, but it’s a well-established fact that some CAs are run by governments, some of which are publicly trusted by browsers.
link
tptacek 198 days ago
The mainstream root stores all require Certificate Transparency now.
link