dnssec-trigger + GNOME + NetworkManager integration
Tomas Hozza
thozza at redhat.com
Tue Jun 30 12:38:35 UTC 2015
On 30.06.2015 14:11, Bastien Nocera wrote:
>
>
> ----- Original Message -----
>> On 30.06.2015 13:53, Bastien Nocera wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> On 30.06.2015 11:24, Tomas Hozza wrote:
>>> <snip>
>>>>> It means that the site of your bank you are on may not be provided the
>>>>> actual host you should be connected to, but instead by some attacker's.
>>>>> The insecure mode means that you are vulnerable in the same way as the
>>>>> plain DNS is. So you are insecure even now if you don't use DNSSEC
>>>>> without realizing it.
>>>>
>>>> Except if your bank is using https and you connected to it that way, and
>>>> you have unbroken CA roots. and so on ...
>>>>
>>>> The combinatorial explosion of states between "insecure" (someone just
>>>> stole my money) and "secure" (the NSA be crying because they can't touch
>>>> this) ... means you end up with about NNNN posibilities to explain to
>>>> the user.
>>>>
>>>> It's not possible to represent all of this in a dialog. We'd have to
>>>> print a book and mail to to the user.
>>>
>>> Which means that it needs to be opt-in for us not to have "unbreak my
>>> Internet"
>>> buttons in the UI. Once DNSSEC is more widely deployed and we can safely
>>> assume that the majority of the Internet is used it, we can toggle it on.
>>
>> Yeah, that's one option.
>>
>> Another is if dnssec-trigger can reliably detect the presence of DNSSEC
>> on a given network, then it could enforce its use from then on.
>
> The good thing being that NetworkManager knows all that, and that the desktop
> doesn't need to track which network we connected to, and whether or not it
> used DNSSEC.
I would not like GNOME to track anything network related. I think NM is
good place for tracking network configuration. We don't want GNOME to
track anything, but rather to provide UI for tools that are tracking the
state.
>> But making the user decide (or showing them a message) every time they
>> connect to such networks is not the way to go.
>
> Exactly, cf. "which firewall zone is this network in" discussions of yesteryear.
I don't think we are interested in such discussion, since we don't think
it is a good idea to expect regular users to do security related decisions.
Tomas
More information about the devel
mailing list