> It has the advantage of not relying on the Certificate Authority system
I wouldn't say it's an advantage, while CA system has many flaws at least it's monitored somehow (for example via Certificate Transparency) while putting keys in DNS would require the app to validate records (does GnuPG do that?), not to mention the queries are not encrypted (so are visible to any hop) and could be transparently replaced by your government or TLD operator. Many DNS providers do not allow adding "exotic" records.
Actually CSP can also block content modifications by extensions. I frequently get CSP reports from browsers using plugins that want to insert something on my site. Some time ago I also got CSP reports that indicated the AdBlocker couldn't touch the site too...
> I was only able to get the situation sorted because I know people who work at Google on the Chrome team.
Hehe, one thing all successfully resolved issues have in common - a friend inside of Google. Maybe that's by design... Google employees are not friends with bad guys!
> put my own domain-specific CA Cert in DNS directly.
Remember that this allows any of your government or people controlling the zone to transparently put the cert there too. (For potential problems see [0]).
With the CA system (that I personally also don't like) at least the certs are logged in Certificate Transparency logs so you see any potential attacks.
AFAICT, anyone who controls .com can add or replace a cert for ycombinator.com, but only visibly. If they do it, they show the change to the entire world at once, because .com is signed with dnssec. Right?
Your parent mentioned Certificate Transparency. Under CT all the public CAs log certificates they issue, and everybody can see the logs, programmatically (with cryptographic security) or via a log monitor like crt.sh
So yes, bad guys operating a TLD can trick a CA into issuing for a domain under theirs, but the CT logs would preserve evidence of this cert existing, and the CA is required to keep records of why it was confident to issue. Monitors would know about the cert in 24 hours (usually much less)
The idea behind the attack they're talking about is that the USG has de jure control over .COM's DNSSEC keys, and so they can in fact edit .COM transparently.
> I recently sold an XPS 13, an i7 9543 model from 2015, which was the first laptop in a long time that I regretted buying.
I've got 9350 and it's also bad. Coil whine, one firmware update completely bricked it (fortunately was on warranty), "fun" with accessories (TB15 was a disaster). Would not recommend.
Actually it's only the NBD warranty that keeps me with Dell (used that and it's very convenient). Does Microsoft have something like that?
