NNSquad - Network Neutrality Squad
[ NNSquad ] Re: Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL
Date: Sat, 14 Aug 2010 16:08:24 -0400 From: Warren Kumari <warren@kumari.net> Subject: Re: [ NNSquad ] Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL Hey Lauren, A few of us have been working on this in the past few months. The fact that DNSSEC is finally getting traction and that the root is now signed allows us to leverage the DNSSEC trust anchor as a trust anchor for TLS. The very very high level view is that you publish a fingerprint (or the key itself) in the DNS, and validate the DNSSEC signing when it gets used. This allows the use of either CA or self-signed certs, and validates that the key received is the correct one for the site -- this also prevents the MITM hijacking attacks described in the paper you referenced We held an informal BOF at the last IETF (IETF78 in Maastricht) and a bunch of folk showed strong interest in working on this (and possibly forming a Working Group). There are a few approaches, one of which is detailed in https://datatracker.ietf.org/doc/draft-hoffman-keys-linkage-from-dns/ [0]. There are numerous other approaches from bright, well respected members of the community as well, and I'm sure we will see more proposals soon. W [0]: Full disclosure - myself and Adam Langley (also from Google) are co-authors on this. On Aug 14, 2010, at 3:28 PM, Lauren Weinstein wrote: > > Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL > > http://bit.ly/avu3sW (pdf - cloudprivacy.net) > > --Lauren-- > NNSquad Moderator