Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

• From: William Pitcock
• Date: Thu Jul 24 05:02:31 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote:
> Patrick W. Gilmore wrote:
> > Anyone have a foolproof way to get grandma to always put "https://"; in 
> > front of "www"?
> 
> I understand this is a huge can of worms, but maybe it's time to change the 
> default behavior of browsers from http to https...?
> 
> I'm sure it's doable in FF with a simple plugin, one doesn't have to wait 
> for FF4. (That would work for bookmarks too.)
> 

I don't think anything involving HTTPS is necessairly an answer to this
problem. Specifically:

* not all sites do HTTPS
* many organizations use transparent proxies like Microsoft ICA
* certification authorities can in theory be bought off (or otherwise
manipulated) to issue bogus certs, making switching to HTTPS worthless

William

• References:
  • Re: Exploit for DNS Cache Poisoning - RELEASED Joe Greco
  • Re: Exploit for DNS Cache Poisoning - RELEASED Joe Abley
  • Re: Exploit for DNS Cache Poisoning - RELEASED Jasper Bryant-Greene
  • Re: Exploit for DNS Cache Poisoning - RELEASED Patrick W. Gilmore
  • https (was: Re: Exploit for DNS Cache Poisoning - RELEASED) Robert Kisteleki

• Prev by Date: Re: SANS: DNS Bug Now Public?
• Next by Date: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - RELEASED
• Date Index
• Thread Index
• Author Index
• Historical