DNS-Based Authentication of Named Entities (DANE): Can we fix our broken CA model?

Presented at ToorCon San Diego 16 (2014), Oct. 25, 2014, 4 p.m. (50 minutes).

In this talk we take an exploratory look at DNS-Based Authentication by Named Entities (DANE), and consider how it could change the landscape of web security. The method of trusting a Certificate Authority to provide encryption and authentication for web sites has been seen to be weak at best, and due to multiple security incidents many consider this model to be completely broken. Mounting evidence supporting the risks of placing trust solely in the hands of a CA leaves many people with the question “Is there an alternative?” DANE tries to address this weakness by allowing organizations to bind certificates used for TLS to their respective servers using DNS. Built on top of DNSSEC, DANE allows us to not rely solely on the CA for trust and instead places the trust of the TLS session on the DNS server: Are we just swapping one evil for another? In this session we will provide an introductory examination of the DANE and DNSSEC protocols, highlighting how the use of DANE could modify the current ways in which we use Certificate Authorities, as well as considering possible new attack vectors adoption may introduce. This talk is a must-see for anyone interested in the future of Internet Security and emerging technologies that may change the way we gain security assurance for our lives online.


Presenters:

  • Tony Cargile
    Tony Cargile is an Associate Security Engineer with iSEC Partners, an information security firm specializing in application, network, and mobile security. Graduating from the University of Texas at Austin with a BS in Computer Science, Tony holds academic experience in many facets of computer security, including exploit development, web application assessments, and information security. Before joining iSEC Partners, he has professional programing experience developing custom software solutions in Configuration Management and Web Application environments. At iSEC, Tony performs security audits of products from the most prestigious companies, ranging from Web Application, Mobile Application, and Network based security assessments.

Similar Presentations: