tag:blogger.com,1999:blog-14114712.post4126988598305779966..comments2024-03-03T02:04:07.138-08:00Comments on ADD / XOR / ROL: halvar.flakehttp://www.blogger.com/profile/12486016980670992738noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-14114712.post-45487562667830915452008-09-02T20:33:00.000-07:002008-09-02T20:33:00.000-07:00I'm late to the party, sorry about that.I strongly...I'm late to the party, sorry about that.<BR/><BR/>I strongly agree with Halvar - a sensible, security-aware person must assume that their gateway is owned, and we certainly need to have SSL everywhere.<BR/><BR/>Problem is - we don't! Most websites worldwide still operate on plaintext HTTP! Most people don't even use SSL for services that require login!<BR/><BR/>And then you have all those HTTP servers (no SSL) that serve pages which take in scripts from Google analytics, which scripts themselves are served from plain HTTP...<BR/><BR/>It's absolutely horrible, but I think we'll need to see actual attacks on larger scales before everyone figures out: "Gee, maybe we should redirect our incoming traffic to HTTPS... dontcha think?"denis biderhttps://www.blogger.com/profile/02662743799740973736noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-88731209284726073932008-08-10T19:19:00.000-07:002008-08-10T19:19:00.000-07:00Hi Halvar!I agree with you that it's a very nice b...Hi Halvar!<BR/>I agree with you that it's a very nice bug and people just took it a little our of proportion. What I can understand is where they are coming from. Simple users don't even know what SSL is, they see the "Lock picture" on the bank's website and they feel safe. The media's point is that this can be used for stealing user accounts (replacing a login server for exmaple yahoo, gmail) infecting(like changing the dns of common software like winamp.com and implementing a server with a downloadable /winampsetup.exe...) or phishing a few million people with so little effort at one single point, is dangerous. Still, this doesn't interest or scare me at all. I will keep feeling that a good remote code execution in Internet Explorer is more dangerous :)Rafel Ivgihttps://www.blogger.com/profile/10296831179799063154noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-17389447035159499452008-07-14T10:55:00.000-07:002008-07-14T10:55:00.000-07:00hmm.. yup I do think your overlooking something. ...hmm.. yup I do think your overlooking something. Well, obviously you understand all the technical whatnot but:<BR/><BR/>"The basic assumption is always my gateway is controlled by my opponent"<BR/><BR/>This isn't how people browse the net, they type www.mybank.com, and expect the web page returned to be the real one. That's what the fuss is all about. Non-techie's, businesses, not clever peeps like yourself.Mr Chttps://www.blogger.com/profile/01691989274822660404noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-35143538855870978672008-07-12T16:50:00.000-07:002008-07-12T16:50:00.000-07:00Even tho this dns poisoning stuff kinda old ( I th...Even tho this dns poisoning stuff kinda old ( I think we won't be suprised when kazencky or whoever expose "his great finidng") , I've been here long enough to know how many "opponents" using this attack, and not so many. Doing any kind of MITM attacks in real -not in theory- isn't just clicking on a button.<BR/><BR/>So who poisons the dns servers and why? Usually not fraudsters, but defacers, who badly want to "deface" a site or hackers who are willing to put a lot of effort to pwn someone's network.<BR/><BR/>And BTW f-ck security industry, ripe, isc, cert they deserve to get owned.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-14114712.post-25573197230879318632008-07-11T20:51:00.000-07:002008-07-11T20:51:00.000-07:00imo, the big story here is the coordinated vendor ...imo, the big story here is the coordinated vendor response/patching...rwninhttps://www.blogger.com/profile/18265639433606828447noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-30425523170094916222008-07-11T07:55:00.000-07:002008-07-11T07:55:00.000-07:00Yeah (using evan's first point as a jumping off pl...Yeah (using evan's first point as a jumping off place), secure protocols arent universal. Not everyone uses them. That doesn't change Halvar's point, which is that your default assumption is gateway compromise. The lack of secure protocols being used everywhere is a problem with or without the DNS issue. You had to encrypt and protect inside the border already. Just because people weren't doing so doesn't change that, IMO.BCFhttps://www.blogger.com/profile/05998173907675664395noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-36168925273615503992008-07-11T00:03:00.000-07:002008-07-11T00:03:00.000-07:00Use case:1. User enters www.internetbank.com in th...Use case:<BR/>1. User enters www.internetbank.com in the browser<BR/><BR/>2. Poisoned DNS returns attacking server<BR/><BR/>3. User does unencrypted login to attacking server which proxies to the TLS-protected internet-bank<BR/><BR/>4. You have MITM without the user noticing, even though the bank doesn't allow non-TLS connections<BR/><BR/>When this is done to the resolvers at a large ISP, lots of customers will be affected (since they in general won't check to see if their login is encrypted, perhaps they checked that the first time they used the bank).<BR/><BR/>If a single gateway device is owned, only you are affected. That is a huge difference.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-14114712.post-73034069685239028212008-07-10T11:51:00.000-07:002008-07-10T11:51:00.000-07:00I concur on a personal basis but from my perspecti...I concur on a personal basis but from my perspective the issue has nothing to do with me. It has to do with protecting all of the sheep, err users, I'm responsible for protecting that don't understand SSL, SSH, etc. and never will because it's not something they care to understand. This is potentially a big deal from the standpoint that, assuming it is as Kaminsky claims, and the perps start using it they have a great vehicle for a new phishing variation. Yes, SSL can prevent this, but only if the user bothers to look. So the bot herders update their bots to mass poison caches with their fake e-bay site and suddenly they get a lot more success and I have to explain over and over to the sheep, err users. *shrug*Timhttps://www.blogger.com/profile/14761781251358238536noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-23954389439350531972008-07-10T11:32:00.000-07:002008-07-10T11:32:00.000-07:001) Secure protocols aren't ubiquitous despite the ...1) Secure protocols aren't ubiquitous despite the fact that they "should" be. <BR/><BR/>2) The potential for massive DoS on just about every internet user is enormous, as well. DoS here, in the sense of "I can't read my e-mail." or "I can't trade my stocks."<BR/><BR/>Just because these problems are "solved" or are uninteresting doesn't mean it doesn't have direct impact on today's internet. <BR/><BR/>Granted, I don't know why the security community cares so much. But, I do think that the vendors did the right thing to massively coordinate simultaneous patches.Evan Sparkshttps://www.blogger.com/profile/16615110199620621885noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-40127234696574815282008-07-10T11:23:00.000-07:002008-07-10T11:23:00.000-07:00Honestly I agree with you. I too, don't get the jo...Honestly I agree with you. I too, don't get the joke. Especially when talking about mobile users who join random networks all the time such as wireless hotspots etc. Where potentially you can't trust the gateway or the provided resolver.Pete Markowskyhttps://www.blogger.com/profile/16444634702202201782noreply@blogger.com