[dnssec-deployment] change "real threats" slide
Rob Austein
sra at isc.org
Mon Oct 18 11:50:20 EDT 2004
At Mon, 18 Oct 2004 15:28:57 +0000, Suzanne Woolf wrote:
>
> Bogus NAPTRs.
good. voip security is a hideously ugly swamp due to the number of
protocols and traffic paths, but insecure dns is one of the weak
links, so this qualifies as a real threat.
At Mon, 18 Oct 2004 11:30:05 -0400, Mark Kosters wrote:
>
> user goes to a http site that is spoofed. https then is hyperlinked
> to a site that has a different domain and valid cert. The site
> validates but to a different firm than the user intended.
>
> From my surfing, jumping off to a https site with a different domain
> is common. How common relative to the whole industry I don't know.
defaulting to insecure http is what the browsers do, so the usage
scenario you describe is real. from a protocol standpoint, this one's
weak because the http stream can be attacked anyway, but the ops folks
can't fix the browswers, so this one seems plausible in spite of its
weakness.
thanks, both of you.
More information about the Dnssec-deployment
mailing list