CAcert System Admins discussion list

[Philipp Guehring <philipp AT cacert.org>]

Hi,

> Worse still, the attacker only needs to win once and he's own the
> battle...
Yes.
> plus the delays would probably be intolerable for users.
Well, I guess we could argue for a random 1 minute delay to our users,
if we presented them a nice "Please wait 1 minute, we are processing
your request", and a nice countdown ...  But yes, it would likely
frustrate some of them.

>Perhaps sending a randomly timed courtesy follow up would at least
alert the user >to the problem... but it could generate false positives
(and is still long after the >horse has bolted).

I wouldn't count on the user being alerted, if the DNS attack succeeded.
The problem is that the game is mostly between CAcert and the attacker,
the real owner of the DNS might not take part in the game at all.
> I think we're just going to have to concede defeat on this one.
I think so too.
> A long, random string and a forced authentication is likely good
> enough anyway,
It seems to have worked quite well. I haven't heard about any attackers
who claimed that they defeated that part of CAcert yet.
> and doesn't interfere with the users more than we need to.
Yes.
> Other suggestions (like manual interrogation by assurers) introduce
> long delays and cost us professionalism.
Well, we could do one thing there:
We could do an automated risk-assesment on the domain, analyzing whether
it's a high-profile/high-risk domain or a low-profile domain, and then
do normal DNS checks for low-profile domains and add manual
interrogation by assurers to high-profile domains.


Best regards,
Philipp Gühring