[dnssec-deployment] DNSSEC and certificates.
jakob at rfc.se
Mon Jan 24 03:15:10 EST 2005
On Sat, 22 Jan 2005, Doug Barton wrote:
> The attack vector I'm most concerned about is the one where the attacker
> obtains a valid certificate, and then spoofs DNS to direct traffic to
> his bogus site. There is no way for the average user to protect
> themselves against this attack.
but there is notting we do against this attack unless we change the basic
principles of X.509 as we know it. DNSSEC will of course help here, but
the attacker can redirect traffic in various other ways.
but why try to obtain a valid cert when the user will just accept whatever
pops up on the screen?
More information about the Dnssec-deployment