[12588] in bugtraq
Re: BIND bugs of the month (spoofing secure Web sites?)
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Nov 15 01:36:43 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991114225028.1075041F16@SIGABA.research.att.com>
Date: Sun, 14 Nov 1999 17:50:22 -0500
Reply-To: smb@RESEARCH.ATT.COM
From: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
X-To: Peter W <peterw@usa.net>
To: BUGTRAQ@SECURITYFOCUS.COM
In message <Pine.LNX.4.10.9911132116410.18106-100000@localhost>, Peter W writes
:
> At 1:14am Nov 13, 1999, D. J. Bernstein wrote:
>
> > A sniffing attacker can easily forge responses to your DNS requests. He
> > can steal your outgoing mail, for example, and intercept your ``secure''
> > web transactions. This is obviously a problem.
>
> If by secure web transactions, you mean https, SSL-protected, then, no
> they can't. SSL-enabled HTTP uses public keys on the server side to verify
> server identity. These keys are typically signed by a Certificate
> Authority (Verisign, Thawte, etc.) and clients will not trust server keys
> unless they have a valid, non-expired certificate from a known, trusted
> CA. Even if the attackers monitored all your network communications, they
> still would not have your web server's private key and its passphrase.
>
> While DNS spoofs may be practical, impersonating an SSL-enabled Web server
> requires considerably more than lying about IP addresses.
In general, no, it doesn't. If use DNS forgery to divert
yourfavoriteonlinemerchant.com to my site, I'll make sure that the
order page doesn't invoke SSL. Most people don't check the little box...
--Steve Bellovin
