On Thu, Dec 10, 2020 at 01:36:30AM +0100, Adrian Zaugg wrote:
> So, then use DANE.

This. DANE is the only way to have reasonably secure TLS that's actually
somewhat deployed in the world (not at all for browsers, well on its way
for SMTP).

Instead of trusting all of thousands of CAs, you trust 1 TLD of your choice,
and 1 registrar of your choice. [1] And without trusting them you can't get
DNS anyway!

> The critics on the CA design I share basically, but his comparison with
> tofu of SSH misses the whole point of authentication of the server's
> identity (...and comparing fingerprints just doesn't scale – at least he
> could have mentioned SSHFP to get somewhere close).

Tofu 1. is totally unsecure the first time, 2. proves your communication
with the server if your device is seized.

Note that somehow Mozilla and Google are trying to introduce DANE-over-TLS
as their "implementation of DANE" -- ie, instead of (or in addition to)
CA chain you get DNSSEC signature chain passed after already connecting,
but that hardly gives you anything: it can be trivially downgraded, allowing
any attacker to eavesdrop if they could do so before.

Only DANE-over-DNS is currently downgrade-resistant (even if DNS itself is
tunnelled -- DANE-over-DNS-over-TLS is ok in this regard).

> Don't you guys run Linux? So the Linux Foundation and EFF is your
> competitor? Na. And the cleartext communication with LE is signed btw.,
> there is the DNS-01 challenge method, which can be secured by DNSSEC
> asf.

DANE is strictly better than LE (anyone who can subvert DNS{,SEC} can also
use that to obtain a CA certificate), LE is strictly better than http.

> The only option in his picture of the web is to use plaintext http
> or https that does not make a distinction between self-signed and issued
> certs. Is that any better? Does this guy understand what he writes
> about? I get the impression this is mostly publicly shown narcissism and
> false conclusions – me too, I feel contrarian.

Aye. Self-signed is better than plaintext, CA-signed is much better than
self-signed. That guy has two choices: worse X, bad Y, and argues for X
just because Y is bad.


Meow!

[1]. Technically, also the root domain, but you almost surely have your
TLD's key cached, and it's easy to pin TLD keys.
--
⢀⣴⠾⠻⢶⣦⠀ .--[ Makefile ]
⣾⠁⢠⠒⠀⣿⡁ # beware of races
⢿⡄⠘⠷⠚⠋⠀ all: pillage burn
⠈⠳⣄⠀⠀⠀⠀ `----