Comment Convergence vs DNSSEC? (Score 1) 189
If I control the DNS entry for paypal.com then I just change its IP address to point at my server. People using convergence will find my server in DNS, get its (self-signed) certificate and send it to the notaries. The notaries will see that it is different from their cached copy, which will trigger them to check for updates. They'll all go to the (compromised) DNS system, get the new IP address, get the fake certificate and return "OK" to the user. What am I missing?