[106161] in North American Network Operators' Group
Re: Exploit for DNS Cache Poisoning - RELEASED
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Jul 23 23:35:14 2008
Date: Wed, 23 Jul 2008 23:33:30 -0400
From: Jared Mauch <jared@puck.nether.net>
To: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <594F3023-022A-406A-950D-1E02945F1B21@ianai.net>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Wed, Jul 23, 2008 at 11:01:11PM -0400, Patrick W. Gilmore wrote:
>> https://www.paypal.com/
>
> That did not even occur to me.
>
> Anyone have a foolproof way to get grandma to always put "https://" in
> front of "www"?
>
> Seriously, I was explaining the problem to someone saying "never click
> 'OK'" when this e-mail came in and I realized how silly I was being.
The problem is there is no perfect solution to these challenges
that the industry faces.
The enhanced SSL certs and browser magic, eg:
www.paypal.com w/ Firefox3 gives a nice green "happy" bar.
If you don't invest in these, or if there is a lack of user
education around these issues it's just one big Pharming pool.
I talked to some govvies today and made what I believe is
the clear case when it comes to "Doing the right thing(tm)". My
case was that the industry would do the right thing as a whole.
There would be stragglers, but the risk of doing nothing is too
high.
If your nameservers have not been upgraded or you did
not enable the proper flags, eg: dnssec-enable and/or dnssec-validation
as applicable, I hope you will take another look.
- Jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
