Re: DNS Attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Björn Persson wrote:

Could you elaborate on how whois guards against malicious system
administrators?
It spreads the number of things that have to be compromised to fool you.
The person who had access to copy the security certificate may not be
the same one that registers the public DNS servers.

OK, a slight improvement, but it still depends on the bank's security routines, just like the secrecy of the secret key does.

Maybe it's a backup operator who knows how to restore a copy elsewhere

Well, a backup copy of a secret key is just as secret as the "live" copy and must be protected by just as rigorous routines.

Agreed, and this is probably is the case for banking institutions that only rarely lose control of a truckload of backup tapes. But there are almost certainly places that have secure certificates that can't audit all the potential copies that might have been made.

 >> Do you think security could be improved by having
browsers and other programs make whois queries automatically?
Slightly, but the DNS infrastructure probably would not handle having
every query send to an authoritative source, which is why we have the
caches that can be compromised in the first place.

So doing that manually works for you only because most people don't do it?

Most internet operations aren't worth this tradeoff in trouble vs. security. But if you have any reason to think your DNS is compromised, it might be worth an extra step before doing a secure transaction.

Also, if it is the a system administrator at the bank, what is to
prevent him from just changing the real name servers?
That's visible and would leave traces in obvious places.

As I already wrote, a bank should have things set up so that copying a secret key would also leave traces.

If they haven't outsourced that job and left it up to someone else to comply.

--
   Les Mikesell
    lesmikesell@xxxxxxxxx


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux