~/.hosts patch
Maxime Henrion
mux at FreeBSD.org
Wed Jun 21 08:32:22 UTC 2006
Marcin Jessa wrote:
> On Wed, 21 Jun 2006 07:31:23 +0000
> John Birrell <jb at what-creek.com> wrote:
>
> > On Wed, Jun 21, 2006 at 12:20:36AM -0700, Luigi Rizzo wrote:
> > > On Wed, Jun 21, 2006 at 07:07:39AM +0000, John Birrell wrote:
> > > > The fact that a lot of innocent (naive) people don't use https
> > > > and certificates?!
> > >
> > > and so they would happily click on
> > >
> > > <a href="http://www.666.org/gimmeyourmoney">Secure Link to
> > > Your Bank</a>
> > >
> > > so we are not opening much in terms of security holes...
> >
> > You are making it worse because you open a new security hole:
> >
> > <a href="https://www.paypal.com/">www.paypal.com</a>
> >
> > does not take them to the _REAL_ www.paypal.com.
> >
> > This is not an issue about phishing where:
> >
> > <a href="http://some.dynamic.ip.addr/">www.paypal.com</a>
> >
> > makes it look like the link takes them to PayPal when it really
> > doesn't.
> >
> > Most banks still don't use certificates even though they use HTTP.
> >
> > We need to retain the integrity of a DNS lookup. If there are any work
> > arounds required for poor DNS lookups, then let an administrator
> > configure them!
>
> Just add a global switch to enable/disable using of the ~/.hosts file
> to i.e /etc/login.conf.
> I personally find this feature very handy, especially on a desktop
> with restricted access to the system.
Better yet; the original author is currently working on making this a
separate nss module. It can then be enabled/disabled at will through
the nsswitch.conf file.
I can understand the security concerns people have expressed in this
thread, but once this functionality is available as a nss module they
don't hold anymore. As far as I can see, noone intends to have this
enabled by default, and it's not even clear it should be in the base.
Having a nss_userfiles port or whatever is probably enough.
Cheers,
Maxime
More information about the freebsd-current
mailing list