Re: DNS Attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mikkel L. Ellertson wrote:

You aren't paranoid enough.  What if the spoofer is also a system
administrator at the bank with access to a copy of the real certificate
that he installs on the machine he's tricked your dns into reaching -
with the expected name that you'll still see.

Then the bank has failed to protect its secret key. I expect banks to have rigorous security routines to control who can access sensitive systems, and to be able to check afterwards who did what.

Yes, but controlling 'who does what' only works as long as the selected person does what you expect. Are you following the case of the San Francisco network admin that refused to give the password to anyone else? This may not even be malicious (he may just think everyone else would screw it up), but it isn't what anyone expected.

Could you elaborate on how whois guards against malicious system administrators?

It spreads the number of things that have to be compromised to fool you. The person who had access to copy the security certificate may not be the same one that registers the public DNS servers. Maybe it's a backup operator who knows how to restore a copy elsewhere

>> Do you think security could be improved by having
browsers and other programs make whois queries automatically?

Slightly, but the DNS infrastructure probably would not handle having every query send to an authoritative source, which is why we have the caches that can be compromised in the first place.

Also, if it is the a system administrator at the bank, what is to

prevent him from just changing the real name servers?

That's visible and would leave traces in obvious places.

> Or putting in a
program on the bank's web server to capture the username and password when you enter them?

Likewise.

Lets face it, if a bank employee wants to embezzle money from the bank, there is not much we as costumers can do about it.

But you need to trust the combination of DNS and the target certificate. If DNS can be compromised someone then only needs to have a copy of the certificate in a place that will be hard to find after the DNS cache expires.

--
  Les Mikesell
   lesmikesell@xxxxxxxxx

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux