[dnssec-deployment] change "real threats" slide
johani at autonomica.se
Mon Oct 18 12:48:06 EDT 2004
Not being at NANOG I have no real clue to your exact deadline, but FWIW:
> just talked to suresh, bill, and sam. i am increasingly uncomfortable
> with the "real threats" slide in our nanog presentation, it is very
> weak and having a strong slide there is critical (offering something
> that operators will laugh off as bogus nonsense is the surest way to
> get them to ignore rest of our talk). bill tells me that we can still
> update the slides if we hurry and hand in a new slide deck for the web
> site. hence, this message.
I agree this slide is crucial.
> currently we have three items:
> one-way ssl tunnel. i still don't know what this means. weak in
> any case, since ssl has its own app level auth mech.
I do not agree that ssl app level auth alleviates the benefits of
1. markk's example is very valid in my eyes. As far as I can tell there
is a clear possibility of people looking for the locked padlock, the
"s" in "https", etc, and then happily submitting their credit card
number to someone other than the intended recipient.
2. Even when there are hard-ware devices involved (typically Internet
banking and similar) there is a concern that DNS spoofing, while not
causing transactions to go through (you're saved by the OOB security of
the h/w device) the customers will loose confidence in the "Internet
bank" as opposed to "real bank" if they get spoofed and nothing informs
them that "this web site is false" so that they instead only learn
that something is wrong when the actual transaction blows up in their
I am more and more of the opinion that the role of DNSSEC is not
necessarily primarily to facilitate some new application that wasn't
possible before but also to increase (as in "return") trust in the
Internet as a medium in general.
I would suggest something a la (probably not for this presentation but
maybe for some other talk at some other time). This is intentionally
spiced to tickle the bean-counting gene that people have developed in
the last years:
* Once upon a time the Internet was a nice place where
you could depend on the information you received.
* That is no longer the case.
* This is scaring people.
* Scared people are bad for the Internet as a business.
* DNSSEC is a way to put the brakes to, and hopefully even reverse,
More information about the Dnssec-deployment