DNS-Based Authentication of Named Entities (DANE): Can we fix our broken CA model?

DerbyCon 4.0 - Family Rootz

Presented by: Tony Cargile
Date: Friday September 26, 2014
Time: 16:00 - 16:50
Location: Track 4

In this talk we take an exploratory look at DNS-Based Authentication by Named Entities (DANE)- and consider how it could change the landscape of web security. The method of trusting a Certificate Authority to provide encryption and authentication for web sites has been seen to be weak at best- and due to multiple security incidents many consider this model to be completely broken. Mounting evidence supporting the risks of placing trust solely in the hands of a CA leaves many people with the question 'is there an alternative?' DANE tries to address this weakness by allowing organizations to bind certificates used for TLS to their respective servers using DNS. Built on top of DNSSEC- DANE allows us to not rely solely on the CA for trust and instead places the trust of the TLS session on the DNS server: Are we just swapping one evil for another? In this session we will provide an introductory examination of the DANE and DNSSEC protocols- highlighting how the use of DANE could modify the current ways in which we use Certificate Authorities- as well as considering possible new attack vectors adoption may introduce. This talk is a must-see for anyone interested in the future of Internet Security and emerging technologies that may change the way we gain security assurance for our lives online.

Tony Cargile


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats