mlgualtieri / CSS-Exfil-Protection

Official repository for the CSS Exfil Protection browser extensions.
MIT License
155 stars 11 forks source link

[Request] Enable DNSSEC on your domain #28

Closed ghost closed 4 years ago

ghost commented 4 years ago

Hello i have a simple request, on the domain (www.mike-gualtieri.com), you use for the test, the domain isn't DNSSEC signed, can you enable this DNSSEC validation ?

It's not mandatory but add some security to prevent dns spoofing of your domain name.

Thanks. Aelisya

ghost commented 4 years ago

after a longer test on Internet.nl i see some security error on your domain :

https://internet.nl/site/www.mike-gualtieri.com/906106/

it would be nice to correct them ;)

mlgualtieri commented 4 years ago

I'm going to close this one. A few reasons:

1) The bug related to my personal website not the plugin.

2) SSL is well configured on my site. It currently has an A+ rating via Qualys SSL labs: https://www.ssllabs.com/ssltest/analyze.html?d=www.mike-gualtieri.com&hideResults=on

3) I don't really see any significant security benefit by using DNSSEC for my website. The site's SSL configuration uses CAA and HSTS, which should cut down on any MITM issues that could potentially take place.

I certainly do welcome being notified of potential security issues! I just don't see anything in that link that poses a realistic threat to the site or visitors.

ghost commented 4 years ago

i understand but DNSSEC is mandatory for other security services (TLSA/DANE), and it will prevent DNS Poisoning of user. CAA lock certificate provider, but it doesn't mean the provider can't be hack or bug, and create a certificate of your domain for another user, hsts only force https and doesn't protect the domain from poisoning. The DNSSEC validation forbid dnspoisoning, and i thinks two protection is better than one.

Lastly the ICANN recomand DNSSEC and since it's free why not activate it ? source : https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

ghost commented 4 years ago

and for hsts i can recommand you to add it in hsts preloading list (added and modified every major update of browser) for better security : https://hstspreload.org/

mlgualtieri commented 4 years ago

When it comes down to it, I just don't see DNSSEC as a priority to implement at the moment for my personal website/blog. Although DNSSEC has merit, it's not widely utilized on most large websites, where DNS poisoning may actually fit into a threat model. As for HSTS, the reason I haven't configured preloading, is because it's very difficult to undo this process.

ghost commented 4 years ago

no problem, i totally understand your choice (it cost noting to ask ^^).