[kictanet] KENIC is wanting

McTim dogwallah at gmail.com
Tue Mar 30 20:34:30 EAT 2010 

On Tue, Mar 30, 2010 at 7:54 PM, Michuki Mwangi <michuki at swiftkenya.com> wrote:
> Hi Robert,
>
> robert yawe wrote:
>> Hi,
>>
>> How safe is .ke if the servers have questionable security certificates,
>> it seems we are taking this ctld issues very lightly.
>>
>
> Funny that you interpret a self signed certificate as taking ccTLD
> issues lightly.

He is conflating two very separate issues.

>
>> After attending ICANN I am now more informed about the importance of
>> secure servers and the costs of lax dns issues.

I wonder what costs he is referring to?

>
> Am still trying to see the relationship between a openSSL self signed CA
> and DNS security. You may want to provide more details on what your
> understanding of secure servers is and where KENIC is failing.

It's a nit that can be picked, but the cert seems to have expired.


Ffox takes a more nuanced approach to this, here is what it shows me:

"This Connection is Untrusted

You have asked Firefox to connect
securely to registry.kenic.or.ke, but we can't confirm that your
connection is secure.

Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.

What Should I Do?

If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.

Technical Details

registry.kenic.or.ke uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is only valid for Ke NIC
The certificate expired on 12/7/2009 12:28 PM."

(Error code: sec_error_expired_issuer_certificate)

I Understand the Risks"

DNSSEC was designed to protect against a limited set of attacks, such
as DNS cache poisoning, Man in the middle, etc. It provides: a) origin
authentication of DNS data, b) data integrity, and c) authenticated
denial of existence.  DNSSEC, if implemented, only provides security
when you ask a question of the DNS database (in this case, Robert's
browser had asked "what is the IP address of kenic.or.ke?").  It's
nothing to do with https or CAs, self signed or not.  That's a
completely different layer.

-- 
Cheers,

McTim
"A name indicates what we seek. An address indicates where it is. A
route indicates how we get there."  Jon Postel

More information about the KICTANet mailing list