4

There is definite security value in having DNSSec-verified connections, however I have yet to see software indicate if the connection is secure.

Ultimately I would like my users to recognize that DNSSec is a more secure solution, and prefer it or demand it when handling our business transactions. It would give us the competitive edge.

What are my options to get users to see that they are more secure with DNSSec? They don't have to understand it, and it's better if they don't have to go trolling though menus to determine this. Suggestions such as Browser plug-ins or solutions for LoB applications are more than welcome.

It's a shame that EV certificates are the ones that highlight URL in green. I would think that DNSSec is more of a fundamental security improvement than EV, which essentially is Security Theater in comparison.

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • Related: [What *should* a DNSSec-secured session look like?](http://ux.stackexchange.com/questions/11870/what-should-dnssec-protected-ssl-connections-look-like) – makerofthings7 Sep 25 '11 at 15:11
  • Related: http://security.stackexchange.com/questions/7565/what-organisations-would-recommend-a-baseline-technology-set-for-safe-secure – makerofthings7 Sep 26 '11 at 03:03

1 Answers1

7

I strongly believe that the pure usage of DNSSEC should not be indicated to the user at all. DNSSEC just ensures that the DNS lookups are not tampered with by third (fourth?) parties.

DNSSEC does not ensure that the connection is really established with the returned IP-address nor that no attacker is listening in on the data. So pure DNSSEC is way too complicated to understand for an average user compared to the small gain in security.

An interesting approach is to publish the public SSL key via DNSEC instead of or in addition to using the traditional SSL certificate authorities. This solves one of the main issues of the traditional approach: At the moment any (transitive) trusted SSL certification authority can sign certificates for any domain. With a DNSSEC based approach only the authority responsible for the top level domain can sign. This greatly decreases the attack surface. (And places a lot of power at the domain authorities)

The visual indication of "SSL with public key published via DNSSEC" should be similar to SSL using EV certificates. I doubt that we see the traditional approach to go away any time soon because there is a lot of money involved.

nealmcb
  • 20,544
  • 6
  • 69
  • 116
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • +1: just what I was about to write.... And I just pushed you within 3 reputation points of me for 5th place :) – nealmcb Sep 25 '11 at 15:50
  • Moxie had some interesting thoughts on using DNSSEC in his APPsecUSA talk the other day http://www.ustream.tv/recorded/17457016 (starts at 26:49, although the whole thing is well worth a watch) downside is definitely in the fact that it gives domain authorities a lot of power... – Rory McCune Sep 25 '11 at 20:05
  • The power *belongs* to the authorities since they are, well *authorities*. Where else should it be? Aside from that, a true killer application for DNSSEC, much more than server certificates, would be mail certificates. But the very idea of storage of certificates external to DNS within DNS zones is heavily opposed by the responsible IETF workgroup due to the fact that "DNS should not be cluttered by stuff that can be done outside of DNS". – syneticon-dj Sep 25 '11 at 20:40
  • @syneticon-dj, many authorities instead of one single. But of course that has the issue of a huge attack surface. – Hendrik Brummermann Sep 25 '11 at 20:54
  • I agree with Hendrik, and appreciate all the comments. What are your thoughts regarding this revised UI suggestion: http://ux.stackexchange.com/questions/11870/should-a-web-browser-indicate-year-near-the-lock-icon-to-encourage-more-safe-se – makerofthings7 Sep 26 '11 at 03:05