

What is the correct user experience for DNSSEC in a web browser? - danyork
http://www.internetsociety.org/deploy360/blog/2012/01/what-is-the-correct-user-experience-for-dnssec-in-a-web-browser/

======
nhaehnle
It strikes me that even the problems that DNSSEC and SSL certificates are
supposed to solve haven't yet been defined clearly.

From how I understand the technologies (and correct me if I'm wrong), DNSSEC
basically says "the server you are talking to is run by the legitimate owner
of the domain, as far as the DNS itself is concerned". SSL certificates say
"one organization out of a more or less random collection of hundreds of
organizations says that the server you are talking to is run by the legitimate
owner of the domain".

In reality, the question that interests me most, most of the time is this: Is
the server that I am talking to still being controlled by the same person or
organization who controlled it when I talked to it the last time?

If the answer is yes, I will be happy to continue talking to it. If the answer
is no, I have a problem that simply cannot be solved easily and automatically.

I feel that this is much closer to how we intuitively understand trust. When
we meet somebody the first time, we are sceptical and not trusting too much,
though obviously this is influenced by a lot of cultural heuristics. Over
time, we simply know how much we trust the people we know, and our biological
face recognition is usually good enough that we cannot be tricked. The main
task for the browser should be to provide a similar assurance that we cannot
be tricked when it comes to servers.

There is the separate problem of establishing trust the first time I visit a
server. But how I want to deal with this situation depends entirely on the
kind of trust I'm dealing with.

Am I looking at an online store where I might leave some money? In that case,
I'd really like some stamp of approval from an independent customer protection
association - what security does a random CA provide, given how many root CAs
are typically installed by default?

Am I looking at my new bank's online banking interface for the first time? In
that case, couldn't the bank just give me a throwaway USB key which contains a
fingerprint that I can use to establish trust?

Am I looking at the site of someone I met in real life? Couldn't we exchange
fingerprints similar to GPG key signing?

Am I looking at some random guy's blog or forum? In that case, what trust do I
need to establish in the first place? The only thing I would be looking for is
what I mentioned above: that when I visit the site the next time, I can be
assured that I am still talking to the same organization, so that passwords
cannot be stolen.

None of this is easily done today, but it should be possible to come up with a
good UI for it. Of course, that's me. How to explain that to a person who
would rather not think about these issues at all is another question. Perhaps
that's one of those cases where, like with driving, the real solution is to
fix the education system.

~~~
ComputerGuru
You mean, basically, the SSH way of doing things.

No one bothers signing the public key of the SSH server you're trying to
connect to by a CA; your client just says "this is the first time you're
connecting to xxxx, do you accept?" but the next time you try to connect and
you get a mismatch, all kinds of warnings and hell break loose if the key
doesn't match the one in the cache.

Makes sense to me.

------
magg
These guys did a plugin for IE and a few mobile apps to validate DNSSEC...

<http://cs.mty.itesm.mx/dnssecmx/>

