OpenID Email Discovery
Trevor Johns
trevor at tjohns.net
Fri Jan 4 09:16:51 UTC 2008
On Jan 4, 2008, at 12:45 AM, Artur Bergman wrote:
> On Jan 4, 2008, at 7:28 AM, Trevor Johns wrote:
>
>> 6. I can't see how this can be used securely. DNS is highly
>> vulnerable
>> to attack.
>
> Which is why the internet isn't working at all. Ever, Never!
Hey, that's not fair!
DNS is well designed to handle denial of service attacks, but there's
relatively little protection against false information within a
localized part of the system.
For one, there's cache poisoning:
http://en.wikipedia.org/wiki/DNS_cache_poisoning
Aside from that, there's nothing stopping an upstream DNS provider
from injecting falsified records.
This is why we have SSL CAs and discourage self-signed certificates.
Encrypting information is easy. Making sure it came from who you think
it came from is not, particularly when you're dealing with previously
unknown parties. Thankfully these attacks are a little tricky to pull
off, but they're certainly not outside the realm of possibility.
--
Trevor Johns
http://tjohns.net
More information about the specs
mailing list