[106163] in North American Network Operators' Group
RE: Exploit for DNS Cache Poisoning - RELEASED
daemon@ATHENA.MIT.EDU (Skywing)
Wed Jul 23 23:42:15 2008
From: Skywing <Skywing@valhallalegends.com>
To: "Patrick W. Gilmore" <patrick@ianai.net>, "nanog@merit.edu"
<nanog@merit.edu>
Date: Wed, 23 Jul 2008 22:40:47 -0500
In-Reply-To: <594F3023-022A-406A-950D-1E02945F1B21@ianai.net>
Errors-To: nanog-bounces@nanog.org
Bookmarks or favorites or whatever your browser of choice wishes to call th=
em, for the https URLs. That, or remember to type in the https:// prefix.
- S
-----Original Message-----
From: Patrick W. Gilmore [mailto:patrick@ianai.net]
Sent: Wednesday, July 23, 2008 11:01 PM
To: nanog@merit.edu
Subject: Re: Exploit for DNS Cache Poisoning - RELEASED
On Jul 23, 2008, at 9:27 PM, Jasper Bryant-Greene wrote:
> On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote:
>> Luckily we have the SSL/CA architecture in place to protect any web
>> page served over SSL. It's a good job users are not conditioned to
>> click "OK" when told "the certificate for this site is invalid".
>
> 'course, as well as relying on users not ignoring certificate
> warnings,
> SSL as protection against this attack relies on the user explicitly
> choosing SSL (by manually prefixing the URL with https://), or
> noticing
> that the site didn't redirect to SSL.
>
> Your average Joe who types www.paypal.com into their browser may very
> well not notice that they didn't get redirected to
> https://www.paypal.com/
That did not even occur to me.
Anyone have a foolproof way to get grandma to always put "https://" in
front of "www"?
Seriously, I was explaining the problem to someone saying "never click
'OK'" when this e-mail came in and I realized how silly I was being.
Help?
--
TTFN,
patrick
