[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning
Sean Donelan
sean at donelan.com
Thu Jul 10 17:19:27 UTC 2008
On Thu, 10 Jul 2008, Michael Monnerie wrote:
> On Donnerstag, 10. Juli 2008 Otmar Lendl wrote:
>> In his experience, users simply ignore those warnings.
>
> Of course. Because they just cannot understand what the message on the
> screen means. It's like you make a complete medical check and get the
> results in doctor's language (latin TLDs and such). After all, what
> should the user do? If he clicks no, he cannot do netbanking. So he'll
> try again and click yes, and it (seems to) work. Programs would have to
> deny access and display the telephone number of the hotline, that would
> be the only help.
>
> Every day I see end users doing the wrong thing. Otherwise the virus
> problem would be negligible.
Yep, that's why I chuckled when I saw ISC claiming DNSSEC was "the
definitive solution."
Even assuming DNS registries have any better security for checking DNS
changes before they sign the data (click here to e-mail the password you
forgot, or send a request on company letterhead), and assuming DNS users
understand/don't ignore/don't disable DNSSEC warnings (some people
turnoff UDP checksums for better performance), and so on....
Is ISC engaging in a bit of P.R. puffery talking about "the only full
solution" to scare people to use DNSSEC. ISC's previous vulnerability
disclosures don't hype DNSSEC.
More information about the dns-operations
mailing list