[Cryptography] Preliminary review of the other Applied Cryptography

[Bear]

On Wed, 2014-04-09 at 21:46 +0200, tpb-crypto at laposte.net wrote:

> Most of us can relate with that, the "SEC" in DNSSEC is kind of
> misleading to put it mildly. Of "SEC", DNSSEC has nothing. People were
> expecting some form of encryption to the standard when it was first
> announced and after a so long wait it came out still working in
> plaintext and worse, forcing people to expose their infrastructure to
> use it. What is the SEC in that really? SECurely allowing yourself to
> be snooped and spoofed? SECure to whom?

DNSSEC correctly solved a different and much smaller set of problems. 
It would not be called SEC today; it makes no attempt to keep secrets 
of any kind from anyone.  It's merely better than what it replaced at
foiling phishers.

In the fullness of time, somebody will have to further secure DNS.  
It really shouldn't be apparent to any observer what someone is looking
up nor what response they got from the nameserver.  It really shouldn't 
be apparent to any observer exactly which traffic on the system needs
to be modified if they want to make an active attack.  It shouldn't be 
possible for any observer to even know exactly which nameserver they
have to compromise to spoof a particular target (ie, which DNS server
someone is likely to use for their next lookup). et cetera.

But it will not happen this year, nor this decade.  DNSSEC took over 
20 years to develop and deploy, and is only about 90% fully deployed
today, despite being a genuine security improvement against phishers 
and enjoying unambiguous political support. A potential SDNS system 
would address things that most consider much smaller problems  and 
would lack political support besides. It is not likely to arrive 
sooner, even if we all get out and push. 

				Bear