dnsとtlsの ビミョーな関係 - dnsops.jpdnsops.jp/event/20150724/dns-tls.pdf · idn practices...
TRANSCRIPT
![Page 1: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/1.jpg)
DNSとTLSの ビミョーな関係
佐原 具幸 株式会社インターネットイニシアティブ
![Page 2: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/2.jpg)
HTTPSクライアント
![Page 3: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/3.jpg)
![Page 4: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/4.jpg)
作っていて困ったこと。
![Page 5: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/5.jpg)
ドメイン名とTLSの関係
![Page 6: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/6.jpg)
TLS といえば HTTPS が代表格
![Page 7: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/7.jpg)
HTTPS は HTTP を安全にしたもの
![Page 8: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/8.jpg)
何をもって 「安全」
と言っているのか?
![Page 9: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/9.jpg)
ブラウザが HTTP で 取ってきた内容
HTML/CSS/JavaScript
![Page 10: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/10.jpg)
と
![Page 11: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/11.jpg)
ブラウザの上の方に表示されている
謎の文字列
![Page 12: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/12.jpg)
![Page 13: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/13.jpg)
の 対応付け が、
![Page 14: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/14.jpg)
OS / ブラウザの開発元が認めた、 認証局によって保証されている、 証明書を使って検証されたこと、 をもって 安全 だとしている。
![Page 15: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/15.jpg)
EV証明書だと もうちょっと わかりやすい
![Page 16: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/16.jpg)
![Page 17: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/17.jpg)
ドメイン名
コンテンツ (HTML等)
![Page 18: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/18.jpg)
実はまだ ギャップ がある
![Page 19: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/19.jpg)
ドメイン名
コンテンツ
サーバX.509 Certificate
TLS on TCP
ここが あやうい
![Page 20: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/20.jpg)
キモ(いの)は ワイルドカード証明書
![Page 21: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/21.jpg)
広く使われている技術
![Page 22: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/22.jpg)
![Page 23: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/23.jpg)
ワイルドカード文字 *(スター)
は任意の文字列にマッチ
![Page 24: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/24.jpg)
*.google.comnews.google.com
maps.google.com
images.google.com
video.google.com
plus.google.com
play.google.com
![Page 25: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/25.jpg)
なんて便利 ♥
![Page 26: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/26.jpg)
ん? ひょっとして…
![Page 27: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/27.jpg)
最強の証明書
“*”
![Page 28: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/28.jpg)
x
![Page 29: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/29.jpg)
RFC2818 3.1.: Names may contain the wildcard character * which is considered to match any single domain name component or component fragment.
![Page 30: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/30.jpg)
![Page 31: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/31.jpg)
では “*.jp” なら?
![Page 32: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/32.jpg)
o or x
![Page 33: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/33.jpg)
実装依存... orz
![Page 34: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/34.jpg)
”*.jp” というワイルドカード証明書を
受け入れる 受け入れないPython Ruby Safari
curl (Mac) wget
Chrome Firefox LibreSSL
curl (OpenSSL) ???
![Page 35: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/35.jpg)
“*.jp” なんて証明書を 信じるのは脆弱性だ! 直せばいいじゃないか
![Page 36: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/36.jpg)
では “*.google” なら...?
![Page 37: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/37.jpg)
o or x状況は “*.jp” と変わらない。
![Page 38: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/38.jpg)
![Page 39: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/39.jpg)
えー、何も悪いこと してないのに。
![Page 40: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/40.jpg)
![Page 41: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/41.jpg)
要するに単一の管理主体 の元に運営されていると
証明できれば良い?
![Page 42: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/42.jpg)
あ、これどこかで聞いた。
![Page 43: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/43.jpg)
Public Suffix List !
![Page 44: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/44.jpg)
と、いうわけで
![Page 45: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/45.jpg)
ワイルドカード証明書の検証にも
Public Suffix Listを使う時代が来てしまうかも…?
![Page 46: DNSとTLSの ビミョーな関係 - DNSOPS.JPdnsops.jp/event/20150724/dns-tls.pdf · IDN Practices Repository Root Key Signing Key (DNSSEC) Reserved Domains NUMBERS PROTOCOLS ABOUT](https://reader036.vdocuments.us/reader036/viewer/2022081617/6046d6d35329046e8038de62/html5/thumbnails/46.jpg)
おしまい