nanog mailing list archives
Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)
From: Jasper Bryant-Greene <jasper () unleash co nz>
Date: Thu, 24 Jul 2008 20:13:57 +1200
On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote:
Patrick W. Gilmore wrote:Anyone have a foolproof way to get grandma to always put "https://" in front of "www"?I understand this is a huge can of worms, but maybe it's time to change the default behavior of browsers from http to https...? I'm sure it's doable in FF with a simple plugin, one doesn't have to wait for FF4. (That would work for bookmarks too.)
It probably wouldn't help. In this case, if I was the attacker, I'd just find a company selling "Domain Validated" certs whose upstream nameserver was vulnerable (there's enough "Domain Validated" certificate pushers now that this shouldn't be hard) Then you spoof the domain from their point of view, obtain a cert, and now HTTPS will work with no error message, almost certainly fooling anyone's grandma. -Jasper
Current thread:
- Re: Exploit for DNS Cache Poisoning - RELEASED, (continued)
- Re: Exploit for DNS Cache Poisoning - RELEASED Matthew Kaufman (Jul 23)
- https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Robert Kisteleki (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Steven M. Bellovin (Jul 24)
- Re: https Sam Stickland (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Jeffrey Ollie (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Hank Nussbacher (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Jim Popovitch (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Matthew Petach (Jul 25)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Jim Popovitch (Jul 25)
- Re: https Patrick Giagnocavo (Jul 31)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Jasper Bryant-Greene (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) William Pitcock (Jul 24)
- Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Chris Adams (Jul 24)
- Re: https Ken A (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Tuc at T-B-O-H.NET (Jul 23)
- Re: Software router state of the art Petri Helenius (Jul 26)
- Re: Software router state of the art William Herrin (Jul 26)
- Re: Software router state of the art Florian Weimer (Jul 26)
- Re: Software router state of the art Petri Helenius (Jul 26)
- Re: Software router state of the art Florian Weimer (Jul 26)