[dnssec-deployment] change "real threats" slide

Johan Ihrén johani at autonomica.se
Mon Oct 18 12:48:06 EDT 2004 

Rob,

Not being at NANOG I have no real clue to your exact deadline, but FWIW:

> just talked to suresh, bill, and sam.  i am increasingly uncomfortable
> with the "real threats" slide in our nanog presentation, it is very
> weak and having a strong slide there is critical (offering something
> that operators will laugh off as bogus nonsense is the surest way to
> get them to ignore rest of our talk).  bill tells me that we can still
> update the slides if we hurry and hand in a new slide deck for the web
> site.  hence, this message.

I agree this slide is crucial.

> currently we have three items:
>
>   one-way ssl tunnel.  i still don't know what this means.  weak in
>   any case, since ssl has its own app level auth mech.

I do not agree that ssl app level auth alleviates the benefits of 
DNSSEC.

1.	markk's example is very valid in my eyes. As far as I can tell there 
is a clear possibility of people looking for the locked 	padlock, the 
"s" in "https", etc, and then happily submitting their credit card 
number to someone other than the intended 	recipient.

2.	Even when there are hard-ware devices involved (typically Internet 
banking and similar) there is a concern that DNS spoofing, 	while not 
causing transactions to go through (you're saved by the OOB security of 
the h/w device) the customers will loose 	confidence in the "Internet 
bank" as opposed to "real bank" if they get spoofed and nothing informs 
them that "this web site 	is false" so that they instead only learn 
that something is wrong when the actual transaction blows up in their 
face.

I am more and more of the opinion that the role of DNSSEC is not 
necessarily primarily to facilitate some new application that wasn't 
possible before but also to increase (as in "return") trust in the 
Internet as a medium in general.

I would suggest something a la (probably not for this presentation but 
maybe for some other talk at some other time). This is intentionally 
spiced to tickle the bean-counting gene that people have developed in 
the last years:

	*	Once upon a time the Internet was a nice place where
		you could depend on the information you received.

	*	That is no longer the case.

	*	This is scaring people.

	*	Scared people are bad for the Internet as a business.

	*	DNSSEC is a way to put the brakes to, and hopefully even reverse, 
that trend.

Johan

More information about the Dnssec-deployment mailing list