Bugtraq mailing list archives
Re: BIND bugs of the month (spoofing secure Web sites?)
From: peterw () USA NET (Peter W)
Date: Sat, 13 Nov 1999 21:34:24 -0500
At 1:14am Nov 13, 1999, D. J. Bernstein wrote:
A sniffing attacker can easily forge responses to your DNS requests. He can steal your outgoing mail, for example, and intercept your ``secure'' web transactions. This is obviously a problem.
If by secure web transactions, you mean https, SSL-protected, then, no they can't. SSL-enabled HTTP uses public keys on the server side to verify server identity. These keys are typically signed by a Certificate Authority (Verisign, Thawte, etc.) and clients will not trust server keys unless they have a valid, non-expired certificate from a known, trusted CA. Even if the attackers monitored all your network communications, they still would not have your web server's private key and its passphrase. While DNS spoofs may be practical, impersonating an SSL-enabled Web server requires considerably more than lying about IP addresses. -Peter
We know how to solve this problem with cryptographic techniques. DNSSEC has InterNIC digitally sign all DNS records, usually through a chain of intermediate authorities. Attackers can't forge the signatures.
Of course, this system still allows InterNIC to steal your outgoing mail, and intercept your ``secure'' web transactions. We know how to solve this problem too. The solution is simpler and faster than DNSSEC, though it only works for long domain names: use cryptographic signature key hashes as domain names.
Current thread:
- Re: BIND bugs of the month D. J. Bernstein (Nov 12)
- Re: BIND bugs of the month (spoofing secure Web sites?) Peter W (Nov 13)
- Re: BIND bugs of the month (spoofing secure Web sites?) Kurt Seifried (Nov 14)
- Re: BIND bugs of the month (spoofing secure Web sites?) D. J. Bernstein (Nov 13)
- Re: BIND bugs of the month (spoofing secure Web sites?) D. J. Bernstein (Nov 14)
- Re: BIND bugs of the month (spoofing secure Web sites?) Elias Levy (Nov 15)
- Re: BIND bugs of the month (spoofing secure Web sites?) D. J. Bernstein (Nov 14)
- Re: BIND bugs of the month David R. Conrad (Nov 14)
- MacOS 9 and the MacOS Netware Client Matt White (Nov 14)
- Re: MacOS 9 and the MacOS Netware Client deepquest () NETSCAPE NET (Nov 15)
- Re: MacOS 9 and the MacOS Netware Client sherrera () BASS CUESTA CC CA US (Nov 15)
- Re: MacOS 9 and the MacOS Netware Client deepquest () NETSCAPE NET (Nov 15)
- Re: BIND bugs of the month (spoofing secure Web sites?) Peter W (Nov 13)