nanog mailing list archives
Re: Exploit for DNS Cache Poisoning - RELEASED
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Wed, 23 Jul 2008 23:01:11 -0400
On Jul 23, 2008, at 9:27 PM, Jasper Bryant-Greene wrote:
On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote:Luckily we have the SSL/CA architecture in place to protect any web page served over SSL. It's a good job users are not conditioned to click "OK" when told "the certificate for this site is invalid".'course, as well as relying on users not ignoring certificate warnings,SSL as protection against this attack relies on the user explicitlychoosing SSL (by manually prefixing the URL with https://), or noticingthat the site didn't redirect to SSL. Your average Joe who types www.paypal.com into their browser may very well not notice that they didn't get redirected to https://www.paypal.com/
That did not even occur to me.Anyone have a foolproof way to get grandma to always put "https://" in front of "www"?
Seriously, I was explaining the problem to someone saying "never click 'OK'" when this e-mail came in and I realized how silly I was being.
Help? -- TTFN, patrick
Current thread:
- RE: Exploit for DNS Cache Poisoning - RELEASED, (continued)
- RE: Exploit for DNS Cache Poisoning - RELEASED Robert D. Scott (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Mike Lewinski (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Kevin Day (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED William Herrin (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Tony Finch (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Joe Abley (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Jasper Bryant-Greene (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Patrick W. Gilmore (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Jared Mauch (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Mike Lewinski (Jul 23)
- RE: Exploit for DNS Cache Poisoning - RELEASED Skywing (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Matthew Kaufman (Jul 23)
- https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Robert Kisteleki (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Steven M. Bellovin (Jul 24)
- Re: https Sam Stickland (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Jeffrey Ollie (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Hank Nussbacher (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Jim Popovitch (Jul 24)