[security] DNS poisoning versus CA issues

[Dan Lyke]

At this point I've fairly well convinced myself that there's nothing  
to be lost if anything in the OpenID process (except however the User  
authenticates with the Identity Provider, but we've already mentioned  
that that's not the purview of the OpenID spec) gets sniffed.

The issues are with DNS poisoning and MitM attacks.

So as I'm going through the scenarios in my head, I'm wondering a few  
things:

1. How easy is it to get an illicit certificate? My impression is that  
all it takes is an IP address (which, we've already seen in the DNS  
poisoning attacks of March 2005, can be as simple as a compromised  
Windows machine), a stolen credit card and a pay phone.

2. How easy is it to fool a CA? I remember the moment when it was  
shown that Active X security was a joke because someone got a  
certificate for a company that differed from the company people  
expected by an ", Inc." or something similar, and I'm fairly sure I've  
seen occurrences like this from the big net CAs.

And anyone who remembers Network Solutions in the '90s knows that  
sometimes to do legitimate things with domain names we had to do them  
through illegitimate paths.

3. Since the March 2005 attacks, are there any remaining known vectors  
for DNS poisoning, especially in the context of real hosting and net  
connection providers (ie: we can discount anyone running the Microsoft  
name server) and the tightened rulesets for updates in the later  
versions of BIND?