OpenID homesite authorization spoofed
Chris Drake
christopher at pobox.com
Mon Oct 23 13:38:15 UTC 2006
Hi Eddy,
ENSL> ..., even if secured by SSL and DNSSEC.
AFAIK: There's no such thing as "secured by DNSSEC" for 2 reasons
A) There's no root to sign any DNS keys
B) there's no client resolver to check signatures (nor can there be
yet, since there's no root keys)
In other words: attacker can just as easily self-sign a bogus SSL
certificate as they can self-sign their bogus DNSSEC server replies.
Poison a cache, hijack an ISP DNS server, change a victims HOSTS
file, or mess with their traffic - it all looks the same to the
victim: a certificate warning - that's it. Everything else will
appear "normal" - even the padlock (and even the trust chain if they
cared to check it and attacker bothered to create bogus CA keys (using
legitimate CA names & attributes) too)
Kind Regards,
Chris Drake
More information about the general
mailing list