[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[Shreyas Zare]

On 4/24/2025 1:42 AM, Ron Garret wrote:
>> On Apr 22, 2025, at 5:32 PM, Paul Wouters<paul at nohats.ca> wrote:
>>
>> All the CAbal exists only because of browsers refusing to do DNSSEC,
> How is DNSSEC going to help mitigate a MITM attack?  If I MITM you, I don't need to spoof your DNS.  All I need to do is re-route your traffic to my server.  Without certificates, I can make my server indistinguishable from the server you are trying to talk to.

Its DNSSECC+DANE that prevents MITM attacks [1]. A web browser 
supporting DANE wont be vulnerable to the attacks you imagine at all. I 
guess most people arguing against DNSSEC do not know that DANE exists.

On the other hand, with traffic re-routing, you can get a SSL/TLS cert 
from LE if you are on-path to the web server that the domain name 
resolves to [2]. And then use that cert to do MITM on people you lured 
to use your public hot spot.


>    Indeed, even *with* certificates I can make my server indistinguishable from the one you are trying to talk to, it's just that I won't be able to actually read any of the content of the exchange,  But without certificates, I can not only read the content (which is bad enough) but I can also *change* the content, which is even worse.  So if you log in to your bank while connected to my network, I can not only steal your credentials and take all your money, as long as you are connected to my network I can make it appear to you as if everything is perfectly normal.  I can even, if I'm clever and dedicated, intercept your IMAP traffic and hide or delete the emails that your real bank is sending you to verify that you are really t
>   rying to wire all your money to Panama.

DNSSEC+DANE also use certificates (even self-signed ones with DANE-EE 
mode) with TLS. Its just that the certificate is backed up with a DANE 
record which is protected by DNSSEC.


> *That* is what certificates protect against.  DNSSEC will not help you at all because as long as you are connected to my hot spot, I control the entire Internet from your point of view, not just DNS.

DNSSEC will help protect with DANE. Controlling a hot spot does not make 
it vulnerable.

Its about time web browsers add support for DANE as an alternative 
option for people who want to use it.

Regards,
*Shreyas Zare*
Technitium <https://technitium.com/>

[1] 
https://blog.technitium.com/2023/05/for-dnssec-and-why-dane-is-needed.html
[2] 
https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250424/98893978/attachment.htm>