undefined | Better HN

0 pointstptacek17y ago0 comments

This isn't true at all. Mutual key agreement between two unrelated parties talking for the first time is hard problem. SSL gets rid of that problem by having every participant in the system rendezvous with 10+ CA's before they talk to anyone.

The SSL problem is mutual key agreement between two related parties communicating for the first time, and it's an easy one to solve.

There is a really persistant meme that SSL breaks when the DNS breaks, because all that happens when your certificate doesn't match or verify is that you get a warning. That warning says SSL isn't working anymore. You're not supposed to click through it. Real applications that use SSL under the hood don't pop up warnings: they freak out and quit.

0 comments

2 comments · 1 top-level

Hexstream17y ago· 1 in thread

"There is a really persistant meme that SSL breaks when the DNS breaks, because all that happens when your certificate doesn't match or verify is that you get a warning. That warning says SSL isn't working anymore. You're not supposed to click through it."

I didn't know it was this bad, Browsers should "freak out" and totally refuse to proceed with the page then.

tptacekOP17y ago

The problem with this is that SSL certificates can become nonverifiable through innocuous circumstances --- for instance, by expiring, or by moving. Most providers and most users would not accept a hard failure in this case.

And there you have one of the biggest problems with DNSSEC --- without a massive software revamp, there's no "soft" failure mode. gethostbyname() doesn't have a warning channel.

j / k navigate · click thread line to collapse