https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

Jasper Bryant-Greene jasper at
Thu Jul 24 08:13:57 UTC 2008

On Thu, 2008-07-24 at 09:51 +0200, Robert Kisteleki wrote:
> Patrick W. Gilmore wrote:
> > Anyone have a foolproof way to get grandma to always put "https://" in 
> > front of "www"?
> I understand this is a huge can of worms, but maybe it's time to change the 
> default behavior of browsers from http to https...?
> I'm sure it's doable in FF with a simple plugin, one doesn't have to wait 
> for FF4. (That would work for bookmarks too.)

It probably wouldn't help. In this case, if I was the attacker, I'd just
find a company selling "Domain Validated" certs whose upstream
nameserver was vulnerable (there's enough "Domain Validated" certificate
pushers now that this shouldn't be hard)

Then you spoof the domain from their point of view, obtain a cert, and
now HTTPS will work with no error message, almost certainly fooling
anyone's grandma.


More information about the NANOG mailing list