Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

it seems like all this infrastructure could be replaced by a DNS TXT record with a public key that browsers could use to check the cert sent from the web server. A web server would load a self-signed cert (or whatever cert they wanted), and put the cert's public key into a DNS record for that hostname. Every visit to a website would need two lookups, one for address and one for key. It puts control back into the hands of the domain owners and eliminates the need for letsencrypt.


I'm not sure what that would solve. You would still need some central entity to sign the DNS TXT record, to ensure that the HTTPS client does not use a tampered DNS TXT record.


If someone can tamper with your DNS TXT records now they can get a certificate for your domain.


Not tamper with the record directly, but MitM it on the way to a target.


That should be prevented by dnssec no?


Depends on who your adversary is. If it's your ISP: no, DNSSEC doesn't prevent that (in every mainstream deployment scenario, your upstream DNS recursive server is the only thing really doing DNSSEC validation).


That's what DNSSEC is for.


Yes, but that's just PKI again, which is what the OP was trying to avoid.


That's already the case with dns-01 verification, no?

Besides, if someone has access to your TXT records then chances are they can also change A records, and you've lost already.


E.g. DNS-Based Authentication of Named Entities? https://www.rfc-editor.org/rfc/rfc6698

There's a TLSA resource record for certificates instead of a TXT encoding.

As far as I know no major browser supports it, and adoption is hindered by DNSSEC adoption.


Ah but then how would nations spy on people by compromising the root certificate?


You're insinuating that the Let's Encrypt roots are compromised?

https://letsencrypt.org/repository/#isrg-legal-transparency-...


No, but it’s a well-established fact that some CAs are run by governments, some of which are publicly trusted by browsers.


The mainstream root stores all require Certificate Transparency now.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: