26 Jul 15:00
Re: DNS Attacks
Mikkel L. Ellertson <mikkel <at> infinity-ltd.com>
2008-07-26 13:00:31 GMT
2008-07-26 13:00:31 GMT
Björn Persson wrote: > Les Mikesell wrote: >> You aren't paranoid enough. What if the spoofer is also a system >> administrator at the bank with access to a copy of the real certificate >> that he installs on the machine he's tricked your dns into reaching - >> with the expected name that you'll still see. > > Then the bank has failed to protect its secret key. I expect banks to have > rigorous security routines to control who can access sensitive systems, and > to be able to check afterwards who did what. > > Could you elaborate on how whois guards against malicious system > administrators? Do you think security could be improved by having browsers > and other programs make whois queries automatically? > > Björn Persson > Also, if it is the a system administrator at the bank, what is to prevent him from just changing the real name servers? Or putting in a program on the bank's web server to capture the username and password when you enter them? Lets face it, if a bank employee wants to embezzle money from the bank, there is not much we as costumers can do about it. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
-- -- fedora-list mailing list fedora-list <at> redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
RSS Feed