:: Re: [DNG] Web browser needed
Top Page
Delete this message
Reply to this message
Author: Adam Borowski
Date:  
To: dng
Subject: Re: [DNG] Web browser needed
On Sun, Jul 15, 2018 at 08:14:20AM +1000, Ralph Ronnquist wrote:
> Since the HTTPS certification principle is based on domain names, it's hard
> to understand in general how routers would be able to hold such certificates
> (installed by vendors), and if they could, what value that would have in
> terms of security.


The only problem here is renewal of those certs -- a router that was offline
for a while or is in a network that doesn't allow phoning home risks having
its cert expire.

There's no reason why you can't have multiple certs for the same name; any
CA will gladly give you thousands of cert-key pairs, and while they'll
charge more for such a special case the per-router price will still be
peanuts.

A vendor who doesn't care about security (insert the obvious rant here) can
also use a single cert, but in that case anyone who extracts the firmware
can get the private key then MITM you.

It would work much better with DNSSEC+DANE -- but alas, no mainstream
browser supports it out of the box[1].

By the way, this is why DNSSEC (DNS only, not DANE) support got disabled in
systemd: router owned by Lennart's mother used "fritz.box" which gets
rejected by any DNSSEC-validating resolver. It could be trivially fixed by
the vendor registering the "fritz.box" domain (.box is an actual TLD) --
DNSSEC instead of proving the router is lying would either detect the domain
is existing but unsigned (a properly terminated NSEC) or get a signing chain
all the way. But no, the vendor didn't even bother to register that domain,
then DNSSEC did its task and outed the response as fraudulent.


Meow!

[1]. Which I'm quite certain was a request from a three letter agency --
DANE is no silver bullet but it's so massively better than the CA model
(and can be paired with it) that it's hard to see any reason for its
implementation suddenly getting WONTFIXed other than _someone_ wanting
to retain capability of MITMing arbitrary targets.
--
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets. Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable And Non-Discriminatory prices.