A man-in-the-middle attach targeting Iranian users of Gmail left them vulnerable to having their logins stolen, and prompted discussion of DNSSEC’s security protocols. In “Google Users in Iran Targeted in SSL Spoof,” CNet News notes that DNSSEC offers an alternative to validating legitimate sites. From the article:
“The SSL ‘race to the bottom’ CA model is broken. Fraudulent certificates have been issued before, even without breaching a CA’s systems,” Johannes B. Ullrich, dean of research at the SANS Technology Institute, wrote in a blog post today. “But what can you do to replace or re-enforce SSL?”
DNSSEC (Domain Name System Security) can provide another way to validate that a site is legitimate, but it is not perfect, either, he said. In addition, there are browser plug-ins that implement reputation systems. One plug-in that has gained traction is Convergence, which works with Firefox and compares the certificate with other certificates received from the same site, he said.