I’ve joined Keybase this week: keybase.io/jeroenh. This is a new service which hosts a directory of public keys together with a verifiable list of usernames.
I have previously written about DNSSECs “failure”. I tried to draw attention to the absence of simple documentation for implementing DNSSEC properly using simple tools. The steps to implement it are not that difficult, but without proper tools and documentation, nobody is going to find out. My previous post became subject of heated debates, and I have also been invited by NLNetLabs to discuss how we can improve the situation. The post below is meant to shed some light on the matter.
The original specification of DNSSEC is from 1997: RFC 2065. This means that it is now over 17 years ago since its initial appearance. Sure, it has a turbulent history, and has undergone some big changes. Even the ‘final’ specification (RFC 4033) is over 9 years old. Yet I am going to argue that it has failed.
Cory Doctorow argues that security engineering should be public, like public health:
I think there’s a good case to be made for security as an exercise in public health. It sounds weird at first, but the parallels are fascinating and deep and instructive.
Last year, when I finished that talk in Seattle, a talk about all the ways that insecure computers put us all at risk, a woman in the audience put up her hand and said, “Well, you’ve scared the hell out of me. Now what do I do? How do I make my computers secure?”
And I had to answer: “You can’t. No one of us can. I was a systems administrator 15 years ago. That means that I’m barely qualified to plug in a WiFi router today. I can’t make my devices secure and neither can you. Not when our governments are buying up information about flaws in our computers and weaponising them as part of their crime-fighting and anti-terrorism strategies. Not when it is illegal to tell people if there are flaws in their computers, where such a disclosure might compromise someone’s anti-copying strategy.
I agree that security these days is harder than ever. The Internet has become a hostile environment and there are many actors actively trying to break anything connected to it.
Public health is a service because it is in everybody’s general interest, and there is not much else we can do about it. Making security a public service creates exactly the wrong kind of incentive. Companies release broken products, and rely on consumers not knowing or caring about it. We have to create more awareness and public outrage, so that consumers actually care about this and can make an informed decision.
Informing the public about security related issues, now that I can agree with as a public service.
Dan Geer presented a keynote presentation to the RSA conference which raises many excellent questions that I see also.