Exploit for DNS Cache Poisoning - RELEASED

Patrick W. Gilmore patrick at ianai.net
Thu Jul 24 03:01:11 UTC 2008

On Jul 23, 2008, at 9:27 PM, Jasper Bryant-Greene wrote:
> On Wed, 2008-07-23 at 21:17 -0400, Joe Abley wrote:
>> Luckily we have the SSL/CA architecture in place to protect any web
>> page served over SSL. It's a good job users are not conditioned to
>> click "OK" when told "the certificate for this site is invalid".
> 'course, as well as relying on users not ignoring certificate  
> warnings,
> SSL as protection against this attack relies on the user explicitly
> choosing SSL (by manually prefixing the URL with https://), or  
> noticing
> that the site didn't redirect to SSL.
> Your average Joe who types www.paypal.com into their browser may very
> well not notice that they didn't get redirected to
> https://www.paypal.com/

That did not even occur to me.

Anyone have a foolproof way to get grandma to always put "https://" in  
front of "www"?

Seriously, I was explaining the problem to someone saying "never click  
'OK'" when this e-mail came in and I realized how silly I was being.



More information about the NANOG mailing list