Bugtraq mailing list archives
Re: BIND bugs of the month (spoofing secure Web sites?)
From: smb () RESEARCH ATT COM (Steven M. Bellovin)
Date: Sun, 14 Nov 1999 17:50:22 -0500
In message <In message <Pine.LNX.4.10.9911132116410.18106-100000@localhost>, Peter W writes :
At 1:14am Nov 13, 1999, D. J. Bernstein wrote:A sniffing attacker can easily forge responses to your DNS requests. He can steal your outgoing mail, for example, and intercept your ``secure'' web transactions. This is obviously a problem.If by secure web transactions, you mean https, SSL-protected, then, no they can't. SSL-enabled HTTP uses public keys on the server side to verify server identity. These keys are typically signed by a Certificate Authority (Verisign, Thawte, etc.) and clients will not trust server keys unless they have a valid, non-expired certificate from a known, trusted CA. Even if the attackers monitored all your network communications, they still would not have your web server's private key and its passphrase. While DNS spoofs may be practical, impersonating an SSL-enabled Web server requires considerably more than lying about IP addresses.
In general, no, it doesn't. If use DNS forgery to divert yourfavoriteonlinemerchant.com to my site, I'll make sure that the order page doesn't invoke SSL. Most people don't check the little box... --Steve Bellovin
Current thread:
- Re: BIND bugs of the month (spoofing secure Web sites?) Steven M. Bellovin (Nov 14)