From: erik quanstrom <quanstro@quanstro.net>
To: 9fans@9fans.net
Subject: Re: [9fans] Are we ready for DNSSEC ?
Date: Sun, 24 Jan 2010 09:57:44 -0500 [thread overview]
Message-ID: <e501cce65dc902858110bb028ab5314c@ladd.quanstro.net> (raw)
In-Reply-To: <f4d8fa41001240519n5898a98cv26d100ad779415e1@mail.gmail.com>
On Sun Jan 24 08:21:50 EST 2010, 23hiro@googlemail.com wrote:
> so you need to have a more "secure" dns because you don't trust your ssl?
do you feel dnssec provides the same or worse security? why?
the simple answer to your question is yes. the renegotiation bug
in ssl requires you to start talking to the wrong server. (this attack
wouldn't be necessary if you're attacker is behind the ssl termination pts.)
a similar attack could work against imperfect certificate checking.
since the easiest way to get someone to the wrong place is to give
them the wrong address, i think a more secure dns helps.
as to fixing the renegotiation bug by turning it off: do you feel
confident that you know how to do this (is it possible) with every
bit of ssl-capable equipment you own? i don't. i also don't think
it's the only attack than can be facilitated by first owning dns.
more food for thought. the ca chains just aren't that well-verified. it
was easy enough to get a bogus microsoft certificate a few years
back. if you can own dns, and get a bogus bigco.com cert, you're
in business.
- erik
next prev parent reply other threads:[~2010-01-24 14:57 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-20 13:26 maht
2010-01-20 13:42 ` erik quanstrom
2010-01-20 15:14 ` Patrick Kelly
2010-01-20 15:33 ` erik quanstrom
2010-01-20 16:39 ` Patrick Kelly
2010-01-20 16:49 ` erik quanstrom
2010-01-20 17:29 ` Patrick Kelly
2010-01-20 17:47 ` Russ Cox
2010-01-20 18:17 ` erik quanstrom
2010-01-20 20:11 ` Russ Cox
2010-01-20 19:13 ` Patrick Kelly
2010-01-23 23:59 ` John Barham
2010-01-24 0:42 ` erik quanstrom
2010-01-24 0:52 ` Russ Cox
2010-01-24 1:01 ` erik quanstrom
2010-01-24 1:11 ` Russ Cox
2010-01-24 1:18 ` erik quanstrom
2010-01-24 13:19 ` hiro
2010-01-24 14:57 ` erik quanstrom [this message]
2010-01-24 21:49 ` Russ Cox
2010-01-24 22:12 ` Tim Newsham
2010-01-24 22:20 ` erik quanstrom
2010-01-24 18:14 ` Tim Newsham
2010-01-25 20:45 ` Wes Kussmaul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e501cce65dc902858110bb028ab5314c@ladd.quanstro.net \
--to=quanstro@quanstro.net \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).