OpenID Email Discovery
Artur Bergman
sky at crucially.net
Fri Jan 4 09:59:12 UTC 2008
On Jan 4, 2008, at 10:16 AM, Trevor Johns wrote:
> On Jan 4, 2008, at 12:45 AM, Artur Bergman wrote:
>
>> On Jan 4, 2008, at 7:28 AM, Trevor Johns wrote:
>>
>>> 6. I can't see how this can be used securely. DNS is highly
>>> vulnerable
>>> to attack.
>>
>> Which is why the internet isn't working at all. Ever, Never!
>
>
> Hey, that's not fair!
>
Fair or not, I am tired of hearing how un-secure DNS, when everything
we do is based on it, and it being the worlds largest working
distributed database.
> DNS is well designed to handle denial of service attacks, but
> there's relatively little protection against false information
> within a localized part of the system.
>
> For one, there's cache poisoning:
>
> http://en.wikipedia.org/wiki/DNS_cache_poisoning
>
> Aside from that, there's nothing stopping an upstream DNS provider
> from injecting falsified records.
>
> This is why we have SSL CAs and discourage self-signed
> certificates. Encrypting information is easy. Making sure it came
> from who you think it came from is not, particularly when you're
> dealing with previously unknown parties. Thankfully these attacks
> are a little tricky to pull off, but they're certainly not outside
> the realm of possibility.
>
There is SSL connecting to the provider that is being refereed from
the srv/txt field. Which is no different than what you are referenced
to from an A or CNAME or MX
Not that it matters anyway, since people just click OK.
Cheers
Artur
More information about the specs
mailing list