Re: Verisign's land grab - TCP-IP

This is a discussion on Re: Verisign's land grab - TCP-IP ; JdeBP> JC> I am sorry, but I don't understand why the idea is a poor one. What about the explanation given on that web page did you not understand ? I've listed the several flaws in detail, along with examples. ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: Verisign's land grab

  1. Re: Verisign's land grab

    JdeBP>

    JC> I am sorry, but I don't understand why the idea is a poor one.

    What about the explanation given on that web page did you not
    understand ? I've listed the several flaws in detail, along
    with examples.

    JC> SimpleDNS Plus has already done it.

    That says nothing, apart from that we can count SimpleDNS Plus
    users amongst the growing number of people who have just handed
    another weapon to Verisign.

    Also: Bear in mind that "Someone Else has already done this." is
    one of the very arguments that has been put forward in defence
    of what Verisign has done. ("Other TLD registries started doing
    this years ago [...].") "Someone else has done it." doesn't
    necessarily make "it" the right thing to do.

    JC> And if Verisign changes the IP address, they have added
    JC> the capability to correct for it in the INI file.

    Now read the explanation on the web page about why the very
    fact that Verisign _can_ change the IP address is a flaw in
    the "solution".

    JC> To me that is a very good reponse [...]

    No. It's a bad response. It's counterproductive in that people
    now think "Oh, the DNS software fixes it.", which it doesn't
    actually do at all. (All but one of the software fixes that I've
    seen so far don't fix the problem at all, and hand Verisign another
    weapon. The remaining one simply just doesn't fix the problem.)

    This _isn't_ a technical problem with a software fix. It's an
    administrative problem with a talking-to-human-beings fix. A
    good response would have been to say that the Domain Name System
    works by delegation, and that we (all of us) have (individually,
    albeit usually indirectly) delegated authority over "com." and
    "net." and their subdomains to Verisign. This is the way that the
    DNS is designed to work. If someone breaches our trust by abusing
    the authority delegated to them, the correct response on our part
    is to not delegate authority to them any more (or, at least, to
    threaten to). This involves talking to root server organizations
    (ICANN, ORSC, PacificRoot, and so forth) and to Verisign. (If
    Verisign doesn't comply, we get the root server organizations to
    stop delegating their authority to it. If the root server
    organizations don't comply, we stop delegating _our_ authority
    to _them_.) It doesn't involve changing the source code of DNS
    server softwares.

    Consider a hypothetical that might help: Posit that you are the
    administrator of "yellowhead.com.". You delegate authority for
    "www.yellowhead.com." to Verisign, on the understanding that it
    won't abuse this to redirect your HTTP traffic somewhere that
    you don't want it to go. Verisign abuses your trust and redirects
    your HTTP traffic somewhere else, using the authority that you have
    given to it. What do you do ? Do you employ the software-fix
    approach of having everyone in the world patch their DNS server
    softwares ? Or do you employ the talking-to-human-beings approach of
    telling Verisign to get back into line, with the threat that if it
    doesn't you'll simply delegate the authority for "www.yellowhead.com."
    and its subdomains to someone else ?

  2. Re: Verisign's land grab



    Jonathan de Boyne Pollard wrote:
    .. . .
    > This _isn't_ a technical problem with a software fix. It's an
    > administrative problem with a talking-to-human-beings fix. A
    > good response would have been to say that the Domain Name System
    > works by delegation, and that we (all of us) have (individually,
    > albeit usually indirectly) delegated authority over "com." and
    > "net." and their subdomains to Verisign. This is the way that the
    > DNS is designed to work. If someone breaches our trust by abusing
    > the authority delegated to them, the correct response on our part
    > is to not delegate authority to them any more (or, at least, to
    > threaten to). This involves talking to root server organizations
    > (ICANN, ORSC, PacificRoot, and so forth) and to Verisign. (If
    > Verisign doesn't comply, we get the root server organizations to
    > stop delegating their authority to it. If the root server
    > organizations don't comply, we stop delegating _our_ authority
    > to _them_.) It doesn't involve changing the source code of DNS
    > server softwares.


    Thank you. That is a very well worded statement of
    the problem. I hope more poeple see this and get the
    concept. Don't fix things that aren't broken and don't
    reward those who circumvent the the rules when the
    rules are working just fine.

    jmh


  3. Re: Verisign's land grab

    JdeBP> What about the explanation given on that web page did you
    JdeBP> not understand ? I've listed the several flaws in detail,
    JdeBP> along with examples.

    WS> He did not understand it because it is wrong and does not apply.

    False. The flaws in the mechanism that changes answers to "A"
    queries according to the IP address in the result, are as described
    on the web page. You can find plenty of other people pointing out
    these same flaws, and a little thought expended on your part will
    lead you to the same conclusions.

    WS> The P1 patch does not do this

    We weren't talking about that mechanism. Moreover, the web page
    describes the flaws in _that_ mechanism, too. (Ironically, it's
    the mechanism that Verisign, were it maliciously inclined, would
    much prefer people to use, since it provides it with the most
    specific countermeasure against its deployment.)

    WS> so stop the hype.

    This is not hyperbole. This is information.

    The web page is a public service, to show people the flaws in these
    solutions, that leave them vulnerable to attacks by both Verisign
    and third parties, before they adopt them. The public discussion
    that brings people's attention to these things is a good thing.

    It is people who blindly parrot received wisdom without actually
    looking at these patches and analysing what they do and what their
    effects are, and who attack those who actually expend the effort of
    sitting down and analysing what these patches do, what all of their
    consequences, intended or unintended, will be, and drawing them to
    people's attention if they are adverse; who are doing everyone a
    disservice.

    WS> If people need the patch, they need the patch.

    That presupposes that they "need" something that leaves them more
    vulnerable than they were before.

    WS> Every needs to take care of their own environment
    WS> and handle issues how they see fit.

    .... whilst you, from the evidence of what you write here, would like
    to silence those who warn people that they are about to do one of
    several very foolish things in their attempts to "handle issues".



+ Reply to Thread