Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "The End of SSL and SSH?"

From: Eric Rescorla <ekr () SPEEDY RTFM COM>
Date: Thu, 21 Dec 2000 09:57:08 -0800
Kurt Seifried <listuser () SEIFRIED ORG> writes:

As for DNSSEC/etc yeah it's far from perfect but at least it might
stop dns spoofing. I know I have no plans to fully populate my
/etc/hosts and synch it between all my machines somehow anytime
soon.

It seems to me that DNSSEC would have exactly the same problems that
you're complaining about with SSL.  After all, the problem isn't the
certificates with SSL aren't properly bound to the domain
name. Rather, it's that users ignore warnings that the certificates
are bad.

More importantly, just using won't DNSSEC protect against
man-in-the-middle attacks, unless the DNS records also contain
key records for the hosts you're trying to access. Sure, the attacker
won't be able to spoof your name resolution but he will be able to
hijack your TCP connection once you have resolved the hostname.
Merely having the correct IP address is not enough.

-Ekr

--
[Eric Rescorla                                   ekr () rtfm com]
                http://www.rtfm.com/
Previous By Date Next
Previous By Thread Next

Current thread: