Hi, How safe is .ke if the servers have questionable security certificates, it seems we are taking this ctld issues very lightly. After attending ICANN I am now more informed about the importance of secure servers and the costs of lax dns issues. Regards Robert Yawe KAY System Technologies Ltd Phoenix House, 6th Floor P O Box 55806 Nairobi, 00200 Kenya Tel: +254722511225, +254202010696
Hi Robert, robert yawe wrote:
Hi,
How safe is .ke if the servers have questionable security certificates, it seems we are taking this ctld issues very lightly.
Funny that you interpret a self signed certificate as taking ccTLD issues lightly.
After attending ICANN I am now more informed about the importance of secure servers and the costs of lax dns issues.
Am still trying to see the relationship between a openSSL self signed CA and DNS security. You may want to provide more details on what your understanding of secure servers is and where KENIC is failing.
From my understanding if KENIC were running;
a) Open recursive authoritative DNS servers for .KE b) A vulnerable version of BIND or whatever DNS server they run c) Without slave DNS servers distributed according to rfc2182 d) Unable to secure the .KE database (please see ICANN's ICP1 document) e) not adhering to recommendations available from the two documents mentioned above, Then i would have a cause for concern. However, if KENIC has gone to the extent of providing Secure HTTP connection to their whois page page (its like google providing https session to the google search page) - and they are at fault because they did not pay a recognized Certificate Authority to have their certificate signed. Then am at a loss of what the meaning of lax DNS issues are. Regards, Michuki.
On Tue, Mar 30, 2010 at 7:54 PM, Michuki Mwangi <michuki@swiftkenya.com> wrote:
Hi Robert,
robert yawe wrote:
Hi,
How safe is .ke if the servers have questionable security certificates, it seems we are taking this ctld issues very lightly.
Funny that you interpret a self signed certificate as taking ccTLD issues lightly.
He is conflating two very separate issues.
After attending ICANN I am now more informed about the importance of secure servers and the costs of lax dns issues.
I wonder what costs he is referring to?
Am still trying to see the relationship between a openSSL self signed CA and DNS security. You may want to provide more details on what your understanding of secure servers is and where KENIC is failing.
It's a nit that can be picked, but the cert seems to have expired. Ffox takes a more nuanced approach to this, here is what it shows me: "This Connection is Untrusted You have asked Firefox to connect securely to registry.kenic.or.ke, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue. Technical Details registry.kenic.or.ke uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for Ke NIC The certificate expired on 12/7/2009 12:28 PM." (Error code: sec_error_expired_issuer_certificate) I Understand the Risks" DNSSEC was designed to protect against a limited set of attacks, such as DNS cache poisoning, Man in the middle, etc. It provides: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence. DNSSEC, if implemented, only provides security when you ask a question of the DNS database (in this case, Robert's browser had asked "what is the IP address of kenic.or.ke?"). It's nothing to do with https or CAs, self signed or not. That's a completely different layer. -- Cheers, McTim "A name indicates what we seek. An address indicates where it is. A route indicates how we get there." Jon Postel
Hi McTim, et al, McTim wrote:
DNSSEC was designed to protect against a limited set of attacks, such as DNS cache poisoning, Man in the middle, etc. It provides: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence. DNSSEC, if implemented, only provides security when you ask a question of the DNS database (in this case, Robert's browser had asked "what is the IP address of kenic.or.ke?"). It's nothing to do with https or CAs, self signed or not. That's a completely different layer.
DNSSEC aware browsers and resolvers would still be a challenge to end users. Alot more problems on end user infrastructure from firewalls that block tcp port 53, limit udp packets to 512 bytes. Regards, Michuki.
Hi, A self signed certificate that my browser treats as a masquerading site that is unsafe, lets stop deceiving ourself that we are an island in the vast internet we have to comply with big brother. Have you ever tried to understand why you locally issued debit card has a VISA sign on it? Regards Robert Yawe KAY System Technologies Ltd Phoenix House, 6th Floor P O Box 55806 Nairobi, 00200 Kenya Tel: +254722511225, +254202010696 ________________________________ From: Michuki Mwangi <michuki@swiftkenya.com> To: robertyawe@yahoo.co.uk Cc: KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke> Sent: Tue, 30 March, 2010 19:54:00 Subject: Re: [kictanet] KENIC is wanting Hi Robert, robert yawe wrote:
Hi,
How safe is .ke if the servers have questionable security certificates, it seems we are taking this ctld issues very lightly.
Funny that you interpret a self signed certificate as taking ccTLD issues lightly.
After attending ICANN I am now more informed about the importance of secure servers and the costs of lax dns issues.
Am still trying to see the relationship between a openSSL self signed CA and DNS security. You may want to provide more details on what your understanding of secure servers is and where KENIC is failing. From my understanding if KENIC were running; a) Open recursive authoritative DNS servers for .KE b) A vulnerable version of BIND or whatever DNS server they run c) Without slave DNS servers distributed according to rfc2182 d) Unable to secure the .KE database (please see ICANN's ICP1 document) e) not adhering to recommendations available from the two documents mentioned above, Then i would have a cause for concern. However, if KENIC has gone to the extent of providing Secure HTTP connection to their whois page page (its like google providing https session to the google search page) - and they are at fault because they did not pay a recognized Certificate Authority to have their certificate signed. Then am at a loss of what the meaning of lax DNS issues are. Regards, Michuki. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke http://lists.kictanet.or.ke/mailman/listinfo/kictanet This message was sent to: robertyawe@yahoo.co.uk Unsubscribe or change your options at http://lists.kictanet.or.ke/mailman/options/kictanet/robertyawe%40yahoo.co.u...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robert, robert yawe wrote:
Hi,
A self signed certificate that my browser treats as a masquerading site that is unsafe, lets stop deceiving ourself that we are an island in the vast internet we have to comply with big brother.
I have signed this email message. Am sure you will get an error trying to validate my signature. Thats because i dont have any online secure trust relationship with you. If we did you would have a validated signature on your pgp key management database. You would also have known where you got my key from and can vouch for its credibility. So please ask your question again....
Have you ever tried to understand why you locally issued debit card has a VISA sign on it?
is VISA security? I still dont understand your relationship between SSL self signed certificate and DNS security?. Are you referring to DNSSEC? - if so please clarify. Regards, Michuki. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku3EVMACgkQrFzEcG7FWGm9hACePII0ePOy0NwAjhoaaEMVF0fc OZEAnA7d2vju6DZ/EtrWE/BolPqCZmd9 =YRzN -----END PGP SIGNATURE-----
Hi, As requested let me ask my question again and in a different format. If I sold you a condom which had a warning from Ministry of Health that said "We do not recognise the manufacturer of this product nor guarantee it effectiveness" what is the likelihood that you will use the product? I connected to the KENIC site and Chrome raised an issue on the authenticity of the security signature that the site was presenting. Who do I trust, the local techies telling me that this is quite safe or Google? To Wanjiku her 1st reaction is to avoid the site, and what stops a sysop somewhere in the developed world to which we have laid our fibre optic cable from listing all .ke domains as unsafe? Lets try and appreciate the global view of issues and also that 99.9% of web users have no appreciation or understanding of the underlying structure of a self or a publicly signed certificate. When a job applicant places his credentials on the table I definitely will take a certificate he presents from wanawatu institute with a kilo of salt as opposed to one issued by KNEC, ICDL (intentionally included) or CISCO. So Michuki if you seriously belief that there is no implication to this self signed certificate at KENIC then tell us so. Regards Robert Yawe KAY System Technologies Ltd Phoenix House, 6th Floor P O Box 55806 Nairobi, 00200 Kenya Tel: +254722511225, +254202010696 ________________________________ From: Michuki Mwangi <michuki@swiftkenya.com> To: robert yawe <robertyawe@yahoo.co.uk> Cc: KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke> Sent: Sat, 3 April, 2010 12:58:43 Subject: Re: [kictanet] KENIC is wanting -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robert, robert yawe wrote:
Hi,
A self signed certificate that my browser treats as a masquerading site that is unsafe, lets stop deceiving ourself that we are an island in the vast internet we have to comply with big brother.
I have signed this email message. Am sure you will get an error trying to validate my signature. Thats because i dont have any online secure trust relationship with you. If we did you would have a validated signature on your pgp key management database. You would also have known where you got my key from and can vouch for its credibility. So please ask your question again....
Have you ever tried to understand why you locally issued debit card has a VISA sign on it?
is VISA security? I still dont understand your relationship between SSL self signed certificate and DNS security?. Are you referring to DNSSEC? - if so please clarify. Regards, Michuki. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku3EVMACgkQrFzEcG7FWGm9hACePII0ePOy0NwAjhoaaEMVF0fc OZEAnA7d2vju6DZ/EtrWE/BolPqCZmd9 =YRzN -----END PGP SIGNATURE-----
robert yawe wrote:
So Michuki if you seriously belief that there is no implication to this self signed certificate at KENIC then tell us so.
Am still trying to understand your question. DNS vs SSL? SSL cannot guarantee you that the site you have gone to is www.domain.co.ke and vise versa. So please clarify what your statements are all about as below;
How safe is .ke if the servers have questionable security certificates, it seems we are taking this ctld issues very lightly.
After attending ICANN I am now more informed about the importance of secure servers and the costs of lax dns issues.
Regards, Michuki.
Hey Robert, Questions and very funny analogy. However, in light of the perception of users, KENIC needs to purchase a CA signed certificate. No sysop will brand all .ke domains as unsafe as individual owners needs to take care of their own certificates not kenic. Oh Robert the last time I checked kenic is for local registrations only. I think u need to stick to DNSSEC issues you raised initially. Happy Easter Sent from my BlackBerry® -----Original Message----- From: robert yawe <robertyawe@yahoo.co.uk> Date: Sat, 3 Apr 2010 11:13:44 To: <joshua.amolo@gmail.com> Cc: KICTAnet ICT Policy Discussions<kictanet@lists.kictanet.or.ke> Subject: Re: [kictanet] KENIC is wanting _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke http://lists.kictanet.or.ke/mailman/listinfo/kictanet This message was sent to: joshua.amolo@gmail.com Unsubscribe or change your options at http://lists.kictanet.or.ke/mailman/options/kictanet/joshua.amolo%40gmail.co...
Hi Joshua, joshua.amolo@gmail.com wrote:
However, in light of the perception of users, KENIC needs to purchase a CA signed certificate.
This might be an ideal situation. But lets analyze it for a moment. Most of the content available on the KENIC website is for public consumption . As such is there any additional value/benefit for communicating over secure session/connection?
No sysop will brand all .ke domains as unsafe as individual owners needs to take care of their own certificates not kenic.
In addition, the sections that need to transverse over a secure session (meaning that most likely user names and passwords or private/sensitive data is being transmitted) would require the KENIC have a some form of trust relationship with the remote user. I would assume this would be a remote access from users related to their business model like Registrars. If thats the case, KENIC may consider publishing their self signed certificate with instruction on how to load it to any browser. It maybe worth considering that the way the SSL certificates work is based on the host name being accessed. Therefore if KENIC were to purchase for an SSL certificate for www.kenic.or.ke they would need to purchase another for any other server on their network that will serve registry functions under a different hostname/server name like registry.kenic.or.ke and needs secure connections.
I think u need to stick to DNSSEC issues you raised initially.
It would be good to know if his DNS servers (resolvers) are DNSSEC aware to start with. Is the browser he's using DNSSEC aware as well.
Happy Easter
You too :). Michuki.
Robert, to use your analogy, our cigarettes have the surgeons' warning 'cigarette smoking kills', but we smoke leisurely. Even surgeons smoke. But just remember as Michuki said 'the content of Kenic website is for public consumption'. The website is like a public brochure. The only entities who trade through the website are Kenic accredited registrar, including Google, who already have an established trust relationship with each other. This is not to let Kenic and Michuki of the hook, so it would be in order the Kenic website get a proper Ssl certificate, or stop using https altogether Regards Mwendwa Kivuva On 03/04/2010, robert yawe <robertyawe@yahoo.co.uk> wrote:
Hi,
As requested let me ask my question again and in a different format.
If I sold you a condom which had a warning from Ministry of Health that said "We do not recognise the manufacturer of this product nor guarantee it effectiveness" what is the likelihood that you will use the product?
I connected to the KENIC site and Chrome raised an issue on the authenticity of the security signature that the site was presenting. Who do I trust, the local techies telling me that this is quite safe or Google?
To Wanjiku her 1st reaction is to avoid the site, and what stops a sysop somewhere in the developed world to which we have laid our fibre optic cable from listing all .ke domains as unsafe?
Lets try and appreciate the global view of issues and also that 99.9% of web users have no appreciation or understanding of the underlying structure of a self or a publicly signed certificate. When a job applicant places his credentials on the table I definitely will take a certificate he presents from wanawatu institute with a kilo of salt as opposed to one issued by KNEC, ICDL (intentionally included) or CISCO.
So Michuki if you seriously belief that there is no implication to this self signed certificate at KENIC then tell us so.
Regards Robert Yawe KAY System Technologies Ltd Phoenix House, 6th Floor P O Box 55806 Nairobi, 00200 Kenya
Tel: +254722511225, +254202010696
________________________________ From: Michuki Mwangi <michuki@swiftkenya.com> To: robert yawe <robertyawe@yahoo.co.uk> Cc: KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke> Sent: Sat, 3 April, 2010 12:58:43 Subject: Re: [kictanet] KENIC is wanting
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Robert,
robert yawe wrote:
Hi,
A self signed certificate that my browser treats as a masquerading site that is unsafe, lets stop deceiving ourself that we are an island in the vast internet we have to comply with big brother.
I have signed this email message. Am sure you will get an error trying to validate my signature. Thats because i dont have any online secure trust relationship with you. If we did you would have a validated signature on your pgp key management database. You would also have known where you got my key from and can vouch for its credibility.
So please ask your question again....
Have you ever tried to understand why you locally issued debit card has a VISA sign on it?
is VISA security?
I still dont understand your relationship between SSL self signed certificate and DNS security?. Are you referring to DNSSEC? - if so please clarify.
Regards,
Michuki. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAku3EVMACgkQrFzEcG7FWGm9hACePII0ePOy0NwAjhoaaEMVF0fc OZEAnA7d2vju6DZ/EtrWE/BolPqCZmd9 =YRzN -----END PGP SIGNATURE-----
-- ______________________ transworldAfrica.com | Fluent in computing transworldAfrica.com/domain | The ALL powerful domain search tool kenya.or.ke | The Kenya we know
Hello Mich, I am on chat with Lillian right now and here is the rationale for selecting this date for the EAIGF =========================================== Lillian Nalwoga: well we cant change now, the initial dates were colliding with the AU summit in Kampala in July, so we changed to 2-4 August which was corriding with the Kenya referendum voting, and the later dates with the Rwanda presidential elections so we has to settle for 11-13 and we cant change anymore! =========================================== I guess you will have to find a way of working around his now. Regards, Douglas Onyango +256(0712)981329 Life is the educators practical joke in which you spend the first half learning, and the second half learning that everything you learned in the first was wrong.
participants (6)
-
Douglas Onyango -
joshua.amolo@gmail.com -
lordmwesh -
McTim -
Michuki Mwangi -
robert yawe