wiredfool

If you haven’t heard yet, Verisign made a dns change yesterday that replaced the ‘domain not found’ error with a record that pointed to one of their servers. The net.world is up in arms, ISC has issued a patch for BIND (and the announcement made it into the dead tree Seattle PI today), and no one is generally happy about it.

I didn’t realize how bad it could be until I saw this post from Steve Bellovin on NANOG:

It’s bad enough now; it could be even worse. They could respond on
port 443, too, with a legitimate-seeming certificate — they’re
*Verisign*, the leading certficate authority.

In the security world, we call this a man- (or monkey-)in-the-middle
attack, for which the standard defense is crypto. But that doesn’t
work well when your trusted third party is part of the threat model…

I’ve never really liked that there was one central authority for public key certificates, and I really don’t like that they are in control of other central parts of the infrastructure, and even worse, that they have been taken over by people looking to make a fast buck at the expense of the net.