SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
The world's top eight DNS providers now control 59 per cent of name resolution for the biggest Websites - and that puts the Web at risk, according to a group of Harvard University researchers.
The group was led by Harvard's Shane Greenstein, and warned that since 2011, the "entropy" of the DNS (referring to how widely distributed it is) has fallen, becoming concentrated in "a small number of dominant cloud services companies".
That state of affairs, the group's research paper (PDF) argued, creates fragility if attackers find a weakness in those DNS services.
[...] For the namespaces they measured, the team found the top eight providers grew their market share from 24 per cent to 59 per cent from 2011 to 2017, and the top four went from 17 per cent to nearly 50 per cent.
[...] The other trend they found was that unsurprisingly, in a world awash with easy-to-use cloud services, external DNS hosting has overtaken in-house DNS servers.
For companies worried that this might leave them open to a Mirai-style botnet taking out their DNS provider, the solution is simple, the paper said.
Organisations should diversify their pool of nameservers by taking DNS management services from multiple providers, the paper said. Compared to the costs of a day's downtime, this is " a comparatively costless and therefore puzzlingly rare decision".
(Score: 2) by NotSanguine on Sunday March 04 2018, @12:07PM
As far as DANE usage is concerned, you're partially correct. But there are risks and caveats with DANE as well, as I discuss below.
My original point was that in many (most?) use cases, you can do secure encryption without DANE, a CA or a web of trust, as client/server authentication isn't needed.
And in many cases where authentication/non-repudiation *is* needed (corporate webmail, SSL VPN, 802.1x, etc.), you'll need to issue certs to both the server *and* the clients. At which point, it won't matter whether you use DANE or not, as the certs will be signed by a CA certificate (itself signed by a CA cert that you control) trusted by both.
I'd also point out that DNSSEC (which is required for DANE) requires a "chain of trust" up to the TLD through your registrar (assuming the devices are on uncontrolled networks), so it's not just a matter of "let's set up DANE and Bob's your uncle!"
Do you trust your registrar's PKI policies/security? I suppose that if you start your own registrar, then you might be able to assure that the chain of trust is valid. If not, you're at the mercy of your registrar's policies and infrastructure, as well as their employees' honesty and ethics.
DANE is useful with connections to servers that aren't within your control, where you are transmitting sensitive information (financial or medical data, etc.) for which there's no single entity that controls the certificates of the client *and* the server. Even then you're still dependent on the quality/security of the server's registrar (back to the DNSSEC "chain of trust").
I don't know about you, but I'd be a little leery if I connected to my bank and they had a self-signed certificate, even if it was verified with DANE RRs, as that's pretty unusual, and things that are unusual are suspicious.
No, no, you're not thinking; you're just being logical. --Niels Bohr