https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

Jasper Bryant-Greene jasper at unleash.co.nz
Thu Jul 24 03:13:57 CDT 2008


On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote:
> Patrick W. Gilmore wrote:
> > Anyone have a foolproof way to get grandma to always put "https://" in 
> > front of "www"?
> 
> I understand this is a huge can of worms, but maybe it's time to change the 
> default behavior of browsers from http to https...?
> 
> I'm sure it's doable in FF with a simple plugin, one doesn't have to wait 
> for FF4. (That would work for bookmarks too.)

It probably wouldn't help. In this case, if I was the attacker, I'd just
find a company selling "Domain Validated" certs whose upstream
nameserver was vulnerable (there's enough "Domain Validated" certificate
pushers now that this shouldn't be hard)

Then you spoof the domain from their point of view, obtain a cert, and
now HTTPS will work with no error message, almost certainly fooling
anyone's grandma.

-Jasper





More information about the NANOG mailing list