On Sat, 16 Aug 2008, Ted Lemon wrote:
The hype surrounding the Kaminsky report is unjustified. For example,
one can't steal bank information with this attack, as the mainstream
press has reported.
This isn't true, because if I can convince you that a naive user that he or
she is talking to your bank, I can get them to enter their information into a
web page that isn't protected by SSL.
Alternatively, I can find a server that has a valid SSL cert, crack it, set
Even easier, just grab the ones that were created on Debian.
Funny how DNSSEC-phobic people keep referring to SSL as the solution. Reread
Dan's slides to see how to combine the DNS and the Debian SSL issue into a
mega attack.
However, if part of the deployment involves putting DNSSEC-validating
resolvers in the DNS caching servers, then there will be an opportunity for
DoS attacks, and so deployments of that type will have to be done very
carefully.
At least you won't be receiving endless streams of DNS packets trying to
race your DNS resolver using NXDOMAIN records using Dan's attack. I'd rather
have some extra CPU load to mitigate the bandwidth losses.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
