BIND update?
Mark Andrews
Mark_Andrews at isc.org
Thu Jul 10 07:02:39 UTC 2008
> Jason Stone wrote:
>
> > So you say, "But I don't send important information over that
> > connection, nor do I trust the information I get back?" Maybe. I think
> > that the AOL data leak fiasco proved that, while people don't generally
> > think of search queries as sensitive, they really kind of are. And you
> > almost certainly place _some_ trust in the results you get back; I mean,
> > you're not reading them purely as fiction.
>
> I validate such unauthenticated information at the human layer. Have to --
> even when nobody has tampered with DNS, BGP, or HTTP, the stuff at
> nytimes.com and wikipedia.org is still often false.
>
> > So, if your DNS resolver is vulnerable to cache poisoning, then every
> > time you casually surf the web, you're allowing for the possibility that
> > you will get spoofed, surf to some malware site, get served a browser
> > exploit, and get 0wned.
>
> That is already true, and is true regardless of the "security" of the DNS.
>
> Think hard on why this is possible:
>
> http://ex-parrot.com/~pete/upside-down-ternet.html
>
> :)
>
> Similarly, why does YouTube disappear whenever Pervez Musharraf gets cranky?
>
> > I agree that DNSSEC is the real solution.
>
> It won't, and can't, solve *any* of the problems you cited. Any attacker
> than can mangle my DNS traffic (and cache poisoning is hardly the only way
> to do that) can also just read and alter *any* non-secure-by-design
> plaintext network traffic.
DNSSEC won't stop all attacks. It does however stop some
attack vectors. Others, like the man in the middle attack
above, it won't stop.
> > I also think that making it easy (or even possible) to sandbox the
> > browsers is a real solution. I think that using strong crypto everywhere
> > and making fine-grained capabilities and MAC systems ubiquitous is also a
> > real solution.
>
> Okay, I know when I'm being trolled. :) I'll stop posting now. It's bed time
> anyway.
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the freebsd-security
mailing list