nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Exploit for DNS Cache Poisoning - RELEASED

From: Skywing <Skywing () valhallalegends com>
Date: Wed, 23 Jul 2008 22:40:47 -0500
Bookmarks or favorites or whatever your browser of choice wishes to call them, for the https URLs.  That, or remember 
to type in the https:// prefix.

- S

-----Original Message-----
From: Patrick W. Gilmore [mailto:patrick () ianai net]
Sent: Wednesday, July 23, 2008 11:01 PM
To: nanog () merit edu
Subject: Re: Exploit for DNS Cache Poisoning - RELEASED

On Jul 23, 2008, at 9:27 PM, Jasper Bryant-Greene wrote:

On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote:

Luckily we have the SSL/CA architecture in place to protect any web
page served over SSL. It's a good job users are not conditioned to
click "OK" when told "the certificate for this site is invalid".


'course, as well as relying on users not ignoring certificate
warnings,
SSL as protection against this attack relies on the user explicitly
choosing SSL (by manually prefixing the URL with https://), or
noticing
that the site didn't redirect to SSL.

Your average Joe who types www.paypal.com into their browser may very
well not notice that they didn't get redirected to
https://www.paypal.com/


That did not even occur to me.

Anyone have a foolproof way to get grandma to always put "https://"; in
front of "www"?

Seriously, I was explaining the problem to someone saying "never click
'OK'" when this e-mail came in and I realized how silly I was being.

Help?

--
TTFN,
patrick
Previous By Date Next
Previous By Thread Next

Current thread: