OpenID homesite authorization spoofed
Alaric Dailey
alaricdailey at hotmail.com
Mon Oct 23 15:09:46 UTC 2006
A) see my earlier reply and http://www.ripe.net/disi/dnssec_howto/#creakey
B) it is up the the DNS server handing you the resolution to do the
checking, NOT your program.
Recursion is the enemy of DNS, but DNSSEC relies on the ROOT DNS servers
being secure, and the downstream servers doing the verification. So if My
internal DNS server gets a non-authoritative result, and it doesn't match
the DNS key from the authoritative server, then I toss the response and
query again all the way up the to authoritative server if I have to. If all
servers did this DNS poisoning would have no effect even if someone did
poison your DNS cache.
I HIGHLY recommend reading www.dnssec.com and
http://www.ripe.net/disi/dnssec_howto/ if you are interested in how this
works(they are certainly going to be more precise then myself).
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Chris Drake
Sent: Monday, October 23, 2006 8:38 AM
To: Eddy Nigg (StartCom Ltd.)
Cc: general at openid.net
Subject: Re[2]: OpenID homesite authorization spoofed
Hi Eddy,
ENSL> ..., even if secured by SSL and DNSSEC.
AFAIK: There's no such thing as "secured by DNSSEC" for 2 reasons
A) There's no root to sign any DNS keys
B) there's no client resolver to check signatures (nor can there be
yet, since there's no root keys)
In other words: attacker can just as easily self-sign a bogus SSL
certificate as they can self-sign their bogus DNSSEC server replies.
Poison a cache, hijack an ISP DNS server, change a victims HOSTS file, or
mess with their traffic - it all looks the same to the
victim: a certificate warning - that's it. Everything else will appear
"normal" - even the padlock (and even the trust chain if they cared to check
it and attacker bothered to create bogus CA keys (using legitimate CA names
& attributes) too)
Kind Regards,
Chris Drake
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list