Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

• From: Jasper Bryant-Greene
• Date: Thu Jul 24 04:14:06 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote:
> Patrick W. Gilmore wrote:
> > Anyone have a foolproof way to get grandma to always put "https://"; in 
> > front of "www"?
> 
> I understand this is a huge can of worms, but maybe it's time to change the 
> default behavior of browsers from http to https...?
> 
> I'm sure it's doable in FF with a simple plugin, one doesn't have to wait 
> for FF4. (That would work for bookmarks too.)

It probably wouldn't help. In this case, if I was the attacker, I'd just
find a company selling "Domain Validated" certs whose upstream
nameserver was vulnerable (there's enough "Domain Validated" certificate
pushers now that this shouldn't be hard)

Then you spoof the domain from their point of view, obtain a cert, and
now HTTPS will work with no error message, almost certainly fooling
anyone's grandma.

-Jasper

• References:
  • Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco
  • Re: Exploit for DNS Cache Poisoning - RELEASED Joe Abley
  • Re: Exploit for DNS Cache Poisoning - RELEASED Jasper Bryant-Greene
  • Re: Exploit for DNS Cache Poisoning - RELEASED Patrick W. Gilmore
  • https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Robert Kisteleki

• Prev by Date: Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)
• Next by Date: Re: SANS: DNS Bug Now Public?
• Date Index
• Thread Index
• Author Index
• Historical