Re: Slightly OT: What SSL cert do you consider strongest?

[Fabian Wenk <fabian () wenks ch>]

Hello Alex

On 24.10.2013 08:08, Alex wrote:
> Maybe adding the key or at least hash of it to DNS would help against mitm
> attacks. Has anyone thought of it before? Google doesn't give me useful

This is exactly what the DANE entries do, as I have noted in my 
post. Here is a sample output:

$ dig +short +dnssec tlsa _443._tcp.secure.wenks.ch
1 0 1 4F2F33286C934C2A46523457D10A387D133FD7C228AC27DD35D92DBC 
45C27BEE
TLSA 8 5 3600 20131104014828 20131005011656 38088 wenks.ch. 
e4qa1YgjN/CxHycEeNBnc0xsUSeOYEOTP+qdvhJrlWZgV1RwLZ2srFl0 
QpW2WbJi0Jb2UNAP0GSJY4/IVehpad/+c5dHD09kERAo6bJ2uRieqfTB 
ixmxEs43nFDSDgxf5jBDYj8NIkscFpf8swRoCosXhY4URbCpuqqWdQiM 
R34m1vr4cdF9Y2vJJB5PCMJ01g4yTOenRDlR/nZcJXHV25MRyYg2mW0J 
LlA/X92FWVZd5jWRLmn9LmPLqCkleLIdC8XMtfav9/XSD+0qZiIw7pfh 
gYJUY4k92LhTPh4rUYB8rtr2/ieIl2+erUVXyur1edWZ7VsFodJSo4C9 SUbayA==

This is the DANE entry in the DNSSEC signed zone for the HTTPS 
website at the hostname secure.wenks.ch. Other variants are 
possible with e.g. containing the whole certificate, could be 
usefull for self-signed certificates. Will not work now, but 
probably in the future, as the browsers do not support DANE yet.

> hits. The same system is used in SSH. Even governments would have problems
> if the NS are for different TLD ...

To really be useful the zone needs to be signed with DNSSEC and 
also the client must use DNSSEC when resolving. Else MITM is 
still possible.


bye
Fabian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/