Implementing DANE for RIPE NCC Websites
• 4 min read
In September of this year, we activated DNS-based Authentication of Named Entities (DANE) for our main web services, including www.ripe.net, the LIR Portal, RIPE Atlas and RIPE Labs.
Mihnea-Costin Grigore
Based in Amsterdam, Netherlands
3
Articles
8
Likes on articles
Based in Amsterdam, Netherlands
Mihnea-Costin Grigore is an IT and cybersecurity expert, with extensive experience in areas of software development, networking and project management. He previously held the role of Web Services Team Leader at the RIPE Network Coordination Centre (RIPE NCC), being responsible for the smooth running of the Web Services team, constantly improving the web presence of the RIPE NCC and providing support to the RIPE community.
“All of this has not aged well. The linked Browser Add-On is no longer developed or support because WebExtensions, Browsers have removed drawn support for Public Key Pinning and not replaced it with DANE, and www.ripe.net's DANE record has been invalid for months now (but not labs.ripe.net).”
Chris, you are sadly correct about the poor adoption of DANE during the past six years. The technology is still sound and very much needed, unfortunately it ran against the interests of major enterprises (as it brakes SSL snooping tools) which meant it would never be implemented by the FAMANG group. As Chrome is developed by Google, it's not surprising that they moved away from it, however one would have hoped to see Firefox pick up the task, which they also didn't. The fact that not even Apple is pursuing this technology, despite their alleged focus on privacy and security, makes the case that it may be a losing battle. All the focus seems to now be on Certificate Transparency (https://certificate.transparency.dev/) -- though that covers a different, complementary issue in my opinion. When it comes to the RIPE NCC website itself, the problems is that they're using CloudFlare as a CDN (including their certificates), which means the TLSA records should also be updated in conjunction. Labs is not on the CDN for the time being. I'm not sure what options they have for managing TLSA records within the CloudFlare tools, but maybe a note to webmaster@ripe.net will provide more info?
This is a very useful summary of the on-going work on these topics going on in the EU, thank you for the continued coverage!
This is quite interesting, would be great to see continued coverage of the topic from the NCC. On a related note, does the NCC have any official or advisory position on any of these initiatives which will certainly affect the membership?
Showing 3 comment(s)