upvote

points

by thayne10 hours ago |
comments
upvoteby tptacek10 hours ago|
next
[-]
There's no commercial compliance regime that requires DNSSEC (FedRAMP might be the only exception --- I'm uncertain about the current state of FedRAMP DNSSEC rules --- but that makes sense given that DNSSEC is a giant key escrow scheme.)
reply
upvoteby thayne7 hours ago|
parent|
[-]
FedRAMP requires it, although like many requirements, you may be able to get out of it if you have a good reason and/or your sponsoring agency doesn't care about it.

There are also some large businesses that require, or strongly pressure SaaS providers to use DNSSEC. You can often contest that, but if you have DNSSEC, that's one less thing to argue about in the contract.

reply
upvoteby tptacek7 hours ago|
parent|
[-]
Which businesses are those? (I ask because if they're North American, I have a pretty good sense of which large North American businesses even have DNSSEC signatures set up, and it's not many; small enough that you can easily memorize the list.)
reply
upvoteby whh2 hours ago|
prev|
next
[-]
I found another reason... MS365 require DNSSEC to be enabled if you want DANE for TLS-enforced SMTP. You could also use MTA-STS.
reply
upvoteby pocksuppet9 hours ago|
prev|
[-]
Probably the most common reason to use TLS is to check a box on a list of compliance rules. Is that bad?
reply
upvoteby weird-eye-issue9 hours ago|
parent|
next
[-]
Do browsers even load non-HTTPS sites anymore without a massive warning?
reply
upvoteby red_admiral4 hours ago|
parent|
next
[-]
neverssl.com works fine for me, only a small warning in the place where the padlock usually is, that no-one checks anyway.

The browser would be very unhappy with an <input type="password"/> on a non-TLS site (localhost excepted). HSTS would trigger the "massive" warning and refuse to load the site, however.

reply
upvoteby weird-eye-issue1 hours ago|
parent|
[-]
It's more pronounced on desktop

Ah yes I think the HSTS issue is what I was thinking of

reply
upvoteby pocksuppet8 hours ago|
parent|
prev|
[-]
Yes, they do.
reply
upvoteby weird-eye-issue6 hours ago|
parent|
[-]
Yeah just ignore the big "not secure" warning in the URL bar
reply
upvoteby pocksuppet5 hours ago|
parent|
[-]
I just checked it. You mean the very small open padlock icon? The era of browsers warning loudly about HTTP was a decade ago, it got reversed due to pushback.
reply
upvoteby weird-eye-issue4 hours ago|
parent|
[-]
Well I checked both Chrome and Firefox on mobile and my desktop and they were all much more obvious than just an "open padlock". They both said "Not Secure" and in Firefox it was bright red text. Also in incognito mode Chrome refused to even open the site without a full screen warning. They all make it super clear non-HTTPS sites are not secure so I'm not really sure what your point is?
reply
upvoteby liveoneggs9 hours ago|
parent|
prev|
[-]
browsers pushed it, not compliance
reply