Why doesnt Browsers usually do inclusion/consistency proofs?
Besause of privacy and performance reasons.
Leak browser history
3 Ways to deliever SCT to browser
X.509v3 certificate extension
TLS extension
OCSP Stapling
What problem is DNS SEC trying to solve
DNS is a fundamental component for many applications on the WWW. For many services, the authenticity and integrity of DNS information are essential.
How many keys does every zone have, why
4 keys in 2 key pairs.
Zone Signing Keypair (ZSK)
Key Signing Keypair (KSK)
What does HSTS do
HSTS instructs browser to access a domain exclusively via HTTPS
mitigates the SSL stripping attack. where an active attacker intercepts an initial HTTP request and prevents the redirection to HTTPS
Still relies on Trust on First Use
The initial redirect is still not secured
Would be susceptible to attack
Solve the problem– HSTS preloading
What is HSTS
Host Strict Transport Security is a security mechanism where a web server instructs the browser to only access the domain via HTTPS for a specified period of time
Why do we have 2 Zone key pairs
- KSK pub is a long term key, which entities can trust. If a ZSK is compromised, replacement of the ZSK requires no adjustments to the trust in the KSK. a new ZSK can easily be created and signed by KSK priv.
This also allows for shorter ZSKs and a higher replacement frequency.
Which improvement does NSEC3 resource record provide? What problem does NSEC have
NSEC3 record type impedes this practice by saving the cryptographic hash of the next secure domain name, instead of its plaintext.
NSEC enables an attacker to enumerate all domains the the respective zone, while providing authenticated denial of existence.
How does HSTS Preloading work
Domain owner submits the domain to the HSTS preload list.
The frowser automatically enforces HTTPS before any first connection.
No initial insecure HTTP request is made
