Re: Exploit for DNS Cache Poisoning - RELEASED

• From: Jasper Bryant-Greene
• Date: Wed Jul 23 21:28:28 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote:
> Luckily we have the SSL/CA architecture in place to protect any web  
> page served over SSL. It's a good job users are not conditioned to  
> click "OK" when told "the certificate for this site is invalid".

'course, as well as relying on users not ignoring certificate warnings,
SSL as protection against this attack relies on the user explicitly
choosing SSL (by manually prefixing the URL with https://), or noticing
that the site didn't redirect to SSL.

Your average Joe who types www.paypal.com into their browser may very
well not notice that they didn't get redirected to
https://www.paypal.com/

-Jasper

• Follow-Ups:
  • Re: Exploit for DNS Cache Poisoning - RELEASED Patrick W. Gilmore

• References:
  • Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco
  • Re: Exploit for DNS Cache Poisoning - RELEASED Joe Abley

• Prev by Date: Re: Exploit for DNS Cache Poisoning - RELEASED
• Next by Date: Re: Exploit for DNS Cache Poisoning - RELEASED
• Date Index
• Thread Index
• Author Index
• Historical