> But on the open internet is the "trust model" really worth anything?
It is. I'd be the first to admit that the CA model is absolutely not a solution that works well overall[1], but regardless of that, it's very hard to get away with a non-targeted attack on TLS (eg. by compromising a CA). Only targeted attacks are really viable, dragnet surveillance is not.
The problem with the way CloudFlare breaks the trust model, is that it's broken for everybody - not just high-risk individuals in a targeted attack, but every single person that talks to a site going through CF. It's completely viable to do dragnet surveillance or modification without anybody realizing it, and this makes it a much bigger breach than the CA model.
> Any website who is delegating their DNS to some third party is potentially vulnerable not to mention any user who is delegating their DNS lookups to a third party. Those are very large numbers.
Not without making a lot of noise. In the context of not having a good way to establish trust for previously unknown entities (Web-of-Trust doesn't really work there), the best we can do - at least, until we find a better solution - is making tampering as public and noisy as possible, so that it becomes risky for a malicious actor to carry out large-scale attacks.
Keep in mind that DNS requests are not directly done by clients, but rather through hierarchical caching resolvers - assuming that CAs used something like Google's DNS servers, an attacker on the DNS provider's network would have to spoof the DNS responses to Google, and as such have a very large portion of the internet end up on the wrong DNS record.
With the amount of DNS history services and security companies monitoring DNS discrepancies, it'd be pretty much impossible to get away with this quietly. Any attempt at subverting the verification process by changing DNS records would immediately show up everywhere.
> Also - Question for the author: Was the archiving of dnshistory.org successful? Did they recently shut down and use Cloudflare to block ArchiveTeam?
Unfortunately, our archival effort was interrupted by the operators of dnshistory.org enabling "I'm Under Attack" mode. We did not have enough time to implement the bypass before the service shut down (although it is what caused me to write the bypass code linked from the article).
I have to say it was a rather strange case anyway. We'd contacted them well in advance - multiple times, I believe - to ask about obtaining a copy of their data (which would mean we didn't have to scrape their servers), and they'd completely ignored the messages.
Only after we'd contacted them to ask about the block, did they reply with a biting message about "causing issues for other users on the site". Why they thought the impending shutdown and removal wouldn't cause issues for their users, I don't know.
I agree with the distinction you make between targeted and non-targeted. But I think being able to easily accomplish targeted attacks on SSL/TLS is a cause for concern -- and indeed that's what I'm thinking of. My thought is that it should not be possible for users to place such trust in something that is so easily subverted. As for DNS, I see no reason why one cannot encrypt DNS packets to prevent tampering. If users ignorantly want to use third party caches (which opens up more problems than just the one you mentioned), even when it's so easy to run a local cache, then we see arguments for another "trust model", e.g., DNSSEC, etc. Same problems.
It is. I'd be the first to admit that the CA model is absolutely not a solution that works well overall[1], but regardless of that, it's very hard to get away with a non-targeted attack on TLS (eg. by compromising a CA). Only targeted attacks are really viable, dragnet surveillance is not.
The problem with the way CloudFlare breaks the trust model, is that it's broken for everybody - not just high-risk individuals in a targeted attack, but every single person that talks to a site going through CF. It's completely viable to do dragnet surveillance or modification without anybody realizing it, and this makes it a much bigger breach than the CA model.
> Any website who is delegating their DNS to some third party is potentially vulnerable not to mention any user who is delegating their DNS lookups to a third party. Those are very large numbers.
Not without making a lot of noise. In the context of not having a good way to establish trust for previously unknown entities (Web-of-Trust doesn't really work there), the best we can do - at least, until we find a better solution - is making tampering as public and noisy as possible, so that it becomes risky for a malicious actor to carry out large-scale attacks.
Keep in mind that DNS requests are not directly done by clients, but rather through hierarchical caching resolvers - assuming that CAs used something like Google's DNS servers, an attacker on the DNS provider's network would have to spoof the DNS responses to Google, and as such have a very large portion of the internet end up on the wrong DNS record.
With the amount of DNS history services and security companies monitoring DNS discrepancies, it'd be pretty much impossible to get away with this quietly. Any attempt at subverting the verification process by changing DNS records would immediately show up everywhere.
> Also - Question for the author: Was the archiving of dnshistory.org successful? Did they recently shut down and use Cloudflare to block ArchiveTeam?
Unfortunately, our archival effort was interrupted by the operators of dnshistory.org enabling "I'm Under Attack" mode. We did not have enough time to implement the bypass before the service shut down (although it is what caused me to write the bypass code linked from the article).
I have to say it was a rather strange case anyway. We'd contacted them well in advance - multiple times, I believe - to ask about obtaining a copy of their data (which would mean we didn't have to scrape their servers), and they'd completely ignored the messages.
Only after we'd contacted them to ask about the block, did they reply with a biting message about "causing issues for other users on the site". Why they thought the impending shutdown and removal wouldn't cause issues for their users, I don't know.
[1]: http://cryto.net/~joepie91/blog/2015/05/01/on-mozillas-force...