DNS Attacks
Mikkel L. Ellertson
mikkel at infinity-ltd.com
Sat Jul 26 13:00:31 UTC 2008
Björn Persson wrote:
> Les Mikesell wrote:
>> You aren't paranoid enough. What if the spoofer is also a system
>> administrator at the bank with access to a copy of the real certificate
>> that he installs on the machine he's tricked your dns into reaching -
>> with the expected name that you'll still see.
>
> Then the bank has failed to protect its secret key. I expect banks to have
> rigorous security routines to control who can access sensitive systems, and
> to be able to check afterwards who did what.
>
> Could you elaborate on how whois guards against malicious system
> administrators? Do you think security could be improved by having browsers
> and other programs make whois queries automatically?
>
> Björn Persson
>
Also, if it is the a system administrator at the bank, what is to
prevent him from just changing the real name servers? Or putting in
a program on the bank's web server to capture the username and
password when you enter them? Lets face it, if a bank employee wants
to embezzle money from the bank, there is not much we as costumers
can do about it.
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080726/2a208644/attachment-0001.sig>
More information about the fedora-list
mailing list