nanog mailing list archives

Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

From: Jasper Bryant-Greene <jasper () unleash co nz>
Date: Thu, 24 Jul 2008 20:13:57 +1200

On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote:

Patrick W. Gilmore wrote:

Anyone have a foolproof way to get grandma to always put "https://"; in 
front of "www"?


I understand this is a huge can of worms, but maybe it's time to change the 
default behavior of browsers from http to https...?

I'm sure it's doable in FF with a simple plugin, one doesn't have to wait 
for FF4. (That would work for bookmarks too.)


It probably wouldn't help. In this case, if I was the attacker, I'd just
find a company selling "Domain Validated" certs whose upstream
nameserver was vulnerable (there's enough "Domain Validated" certificate
pushers now that this shouldn't be hard)

Then you spoof the domain from their point of view, obtain a cert, and
now HTTPS will work with no error message, almost certainly fooling
anyone's grandma.

-Jasper

Current thread:

Re: Exploit for DNS Cache Poisoning - RELEASED, (continued)
- - - Re: Exploit for DNS Cache Poisoning - RELEASED Matthew Kaufman (Jul 23)
    - https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Robert Kisteleki (Jul 24)
    - Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Steven M. Bellovin (Jul 24)
    - Re: https Sam Stickland (Jul 24)
    - Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Jeffrey Ollie (Jul 24)
    - Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Hank Nussbacher (Jul 24)
    - Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Jim Popovitch (Jul 24)
    - Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Matthew Petach (Jul 25)
    - Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Jim Popovitch (Jul 25)
    - Re: https Patrick Giagnocavo (Jul 31)
    - Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Jasper Bryant-Greene (Jul 24)
    - Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) William Pitcock (Jul 24)
    - Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Chris Adams (Jul 24)
    - Re: https Ken A (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Tuc at T-B-O-H.NET (Jul 23)
    - Re: Software router state of the art Petri Helenius (Jul 26)
    - Re: Software router state of the art William Herrin (Jul 26)
    - Re: Software router state of the art Florian Weimer (Jul 26)
    - Re: Software router state of the art Petri Helenius (Jul 26)
    - Re: Software router state of the art Florian Weimer (Jul 26)
  - Re: Software router state of the art Joel Jaeggli (Jul 23)

(Thread continues...)