[conspire] phish ... DNS ... DNSSEC!, ...

Michael Paoli Michael.Paoli at cal.berkeley.edu
Sun Mar 18 23:20:32 PDT 2018


> Date: Fri, 24 Mar 2017 10:11:00 -0700
> From: Rick Moen <rick at linuxmafia.com>
> To: conspire at linuxmafia.com
> Subject: [conspire] 'Frighteningly effective' GMail phishing
> Message-ID: <20170324171059.GD5838 at linuxmafia.com>
> Content-Type: text/plain; charset=utf-8

> that I personally know.  (This doesn't protect you against other threats
> like compromised DNS or routers, but completely defeats phishing.)

Ah, forgot to also point out ... DNSSEC.  That certainly can quite
help with DNS.  Alas, the US is lagging way behind on that:
https://stats.labs.apnic.net/dnssec
Some countries, and such, though, are looking mighty fine ...
E.g. Faeroe Islands at #2 by country (code) at 87.91%
then we have the US ... #83 at 24.07%
Actually somewhat interesting (and more apparent on map), for the top
11 by country, we have:
1    KI   Kiribati, Micronesia, Oceania                           89.74%
2    FO   Faeroe Islands, Northern Europe, Europe                 87.91%
3    PM   Saint Pierre and Miquelon, Northern America, Americas   87.07%
4    MF   Saint Martin (French part), Caribbean, Americas         86.55%
5    IS   Iceland, Northern Europe, Europe                        85.57%
6    GL   Greenland, Northern America, Americas                   84.56%
7    BB   Barbados, Caribbean, Americas                           78.88%
8    FM   Micronesia (Federated States of), Micronesia, Oceania   77.64%
9    AI   Anguilla, Caribbean, Americas                           77.43%
10   NO   Norway, Northern Europe, Europe                         76.16%
11   SE   Sweden, Northern Europe, Europe                         74.85%
There seems a significant geographic correlation ... perhaps matches to
some laws/regulations or incentives, and perhaps also some trade
agreements?  Or maybe there's culture or some other elements at play, or
working in combination.

And ... CAs and SSL/TLS, yes, many CAs have had their problems(!).
Well, DNS can also help - at least in part - with that.
There's DNS CAA records:
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
Also of note DANE:
https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
but alas, DANE seems to not been implemented much, so seems to have not
gained much traction ... e.g. notably most or all, at least major browsers,
don't use it by default, and many/most of them, if they support it at all,
is via some add-on or the like.  Yeah, ... I took a look at DANE ...
notably considering it for BALUG and SF-LUG.org (not the separate list
hosting) ... mostly looked like too much of a pain/hassle for too little
benefit ... though I'm open to and may quite reconsider again.

Well, ... with the US at only 24.07% on DNSSEC, I think at least we're
progressing much more and more quickly on that, than our conversion to
metric.





More information about the conspire mailing list