Re: DNS Attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 25, 2008 at 01:32:58PM -0500, Les Mikesell wrote:
> Björn Persson wrote:
>>
>>> If you are really paranoid (or about to do large transactions on what
>>> you hope is your banking site), you could do a 'whois' lookup for the
>>> target domain to find their own name servers and send a query directly
>>> there for the target site.
>>
>> Check that the domain name in the address bar is right, that you're 
>> using HTTPS, and that the bank's certificate has been verified 
>> correctly. Then you're safe, unless the attacker has *also* managed to 
>> trick one of the certification authorities into issuing a false 
>> certificate, or somehow sneaked a false CA certificate into your 
>> browser.
>
> You aren't paranoid enough.  What if the spoofer is also a system  
> administrator at the bank with access to a copy of the real certificate  
> that he installs on the machine he's tricked your dns into reaching -  
> with the expected name that you'll still see.
>

What does it take to collect 'correct' answers now and
then watch for poisioning and get it fixed promptly.

Banks and other key sites like google, yahoo, miscrosoft and many of
the big social network sites should be actively watching for abuse.
ISPs also need to watch their DNS servers and should be working with
the likes of Cert, the FBI etc. to nip this stuff in the bud should some
bad guys attempt to do bad stuff.   In the early days Universities were
central in keeping sanity on the early Internet perhaps they can also
pick up one of the balls in this game.

I have a very limited set of 'valuable' sites I connect with....  and have
already started caching key host IP addresses and DNS servers that I
believe I can rely on even when WiFI connected from the local coffee shop.

 

-- 
	T o m  M i t c h e l l 
	Looking for a place to hang my hat.


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux