I’ve long been a big believer in the Adam Smith invisible hand. The concept that small economic tilt creates huge output affect.

Seems like the current US telecom regulator reads that too. You see, in the US, telecom subsidies (universal service funds) are a big thing for a lot of telecom. And now, if you receive these, you can no longer buy Chinese telecom (Huawei, ZTE) equipment. DOC-349937A1 has a lot more detail, but it seems in this case the invisble hand is a pimp hand!

 

With so many things relying on the security of DNS (it controls your SPF, your DKIM, your CAA, generating SSL for your domain, …), and with DNS security being one of the keys to avoiding a man-in-the-middle attack, it behooves us to make sure it is ultimately very secure.

This means the usual (2-factor authentication, locking the domain, etc), but it also means enabling DNSSEC. And this is not very common. According to ISOC, and associated reports, we are not looking great. 1400 of 1544 TLD are signed (so not terrible I guess), but we are looking more like 12% for the global list.

You can test your own domain here, my results shown at right. If you are not DNSSEC, I would recommend taking some action to enable it.

Breaking down per country, we can see that Canada is @ 13.37%, slightly worse than The Democratic Republic of Congo (side note, you notice how countries with the word Democratic in the name rarely are?)

So, who here is going to go and see how to get DNSSEC on their domain? If your registrar doesn’t support it, ask them to, or threaten to move. Its very simple to move your domain from one registrar to another.

This is a very cheap way of improving your security.

OK, not all DNS providers support this. But, if yours does, consider adding a CAA record. What is a CAA record you ask? Its a DNS Certification Authority Authorisation, and its a very simple thing to add and use that increases your security. It allows one to assert, via DNS, which certificate authorities can issue certificates for their domains. Its pretty simple, you add a record like:

example.com. CAA 0 issue "letsencrypt.org"

and call it a day. It can get more complex if you need, e.g. 1 provider for wildcards, one for non, etc. But, for most people, a single record will get them going.

So why would you do this? Well, what if (and not actually if, it has already happened) a certificate authority is compromised? In 2011 an Iranian hacker broke into (a reseller for) Comodo and issued certificates for Gmail, Hotmail, … and then later, another provider. The net effect was a man-in-the-middle compromise.

So, your browser trusts root X & Y, and your site is signed by root Y, you put in a CAA record for Y, and you reduce your risk. if X is compromised, you are still ok.

Does your site use CAA? Well, test it! Here’s mine.

I was listening to ‘Masters of Scale‘ and episode #22 is with Sara Blakely of Spanx. So I clicked on their website. And my browser blocked it, the SSL site is not valid. So I did a quick check (side note: please test every site you own or influence on www.sslabs.com, it takes only a second. If you find a problem, notify the site owner. Everyone should get an A or better, no B or C).

And as you can see, they got a ‘T’ fail. The reason is, they have a certificate signed by Symantec. And that certificate authority has been distrusted by Mozilla and Google.

So, uh, yeah, now I got a customer-support case open w/ Spanx. So I guess my targeted advertising profile is questioning itself a bit. Or not, we’ll see.

So I was in a meeting today and the WiFi password was ‘Genesis 12-24’. Now I’m not much on the testaments, but I know enough to realise that is most likely a reference to some scripture (it could also be from Star Trek III: The Search for Spock). And lo here it is, linked for your pleasure.

And, since we can now transmit the King James Bible over the Internets without pesky TCP reset packets, here is the excerpt, the usual sort of stuff, you know slavery, incest, adultery (its about Sarah, sister and wife of Abraham).

So, anyone got any speculation on why this would be my WiFi password today?

12 Now the Lord had said unto Abram, Get thee out of thy country, and from thy kindred, and from thy father’s house, unto a land that I will shew thee:
And I will make of thee a great nation, and I will bless thee, and make thy name great; and thou shalt be a blessing:
And I will bless them that bless thee, and curse him that curseth thee: and in thee shall all families of the earth be blessed.
So Abram departed, as the Lord had spoken unto him; and Lot went with him: and Abram was seventy and five years old when he departed out of Haran.
And Abram took Sarai his wife, and Lot his brother’s son, and all their substance that they had gathered, and the souls that they had gotten in Haran; and they went forth to go into the land of Canaan; and into the land of Canaan they came.
And Abram passed through the land unto the place of Sichem, unto the plain of Moreh. And the Canaanite was then in the land.
And the Lord appeared unto Abram, and said, Unto thy seed will I give this land: and there builded he an altar unto the Lord, who appeared unto him.
And he removed from thence unto a mountain on the east of Bethel, and pitched his tent, having Bethel on the west, and Hai on the east: and there he builded an altar unto the Lord, and called upon the name of the Lord.
And Abram journeyed, going on still toward the south.
10 And there was a famine in the land: and Abram went down into Egypt to sojourn there; for the famine was grievous in the land.
11 And it came to pass, when he was come near to enter into Egypt, that he said unto Sarai his wife, Behold now, I know that thou art a fair woman to look upon:
12 Therefore it shall come to pass, when the Egyptians shall see thee, that they shall say, This is his wife: and they will kill me, but they will save thee alive.
13 Say, I pray thee, thou art my sister: that it may be well with me for thy sake; and my soul shall live because of thee.
14 And it came to pass, that, when Abram was come into Egypt, the Egyptians beheld the woman that she was very fair.
15 The princes also of Pharaoh saw her, and commended her before Pharaoh: and the woman was taken into Pharaoh’s house.
16 And he entreated Abram well for her sake: and he had sheep, and oxen, and he asses, and menservants, and maidservants, and she asses, and camels.
17 And the Lord plagued Pharaoh and his house with great plagues because of Sarai Abram’s wife.
18 And Pharaoh called Abram and said, What is this that thou hast done unto me? why didst thou not tell me that she was thy wife?
19 Why saidst thou, She is my sister? so I might have taken her to me to wife: now therefore behold thy wife, take her, and go thy way.
20 And Pharaoh commanded his men concerning him: and they sent him away, and his wife, and all that he had.