From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 05:21:54 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1EA701065680 for ; Thu, 10 Jul 2008 05:21:54 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from strawberry.noncombatant.org (strawberry.noncombatant.org [64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id E33B38FC1A for ; Thu, 10 Jul 2008 05:21:53 +0000 (UTC) (envelope-from chris@noncombatant.org) Received: from blueberry-2.local (unknown [64.142.6.126]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by strawberry.noncombatant.org (Postfix) with ESMTPSA id 3D47586682E; Wed, 9 Jul 2008 22:21:53 -0700 (PDT) Message-ID: <48759C70.2060705@noncombatant.org> Date: Wed, 09 Jul 2008 22:21:52 -0700 From: Chris Palmer User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: Jason Stone , freebsd-security@freebsd.org References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709182340.GD55473@noncombatant.org> <4875481E.4000100@kernel32.de> <20080709235204.GB72293@root.ucsc.edu> <20080710002749.GK55473@noncombatant.org> In-Reply-To: X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 05:21:54 -0000 Jason Stone wrote: > So you say, "But I don't send important information over that > connection, nor do I trust the information I get back?" Maybe. I think > that the AOL data leak fiasco proved that, while people don't generally > think of search queries as sensitive, they really kind of are. And you > almost certainly place _some_ trust in the results you get back; I mean, > you're not reading them purely as fiction. I validate such unauthenticated information at the human layer. Have to -- even when nobody has tampered with DNS, BGP, or HTTP, the stuff at nytimes.com and wikipedia.org is still often false. > So, if your DNS resolver is vulnerable to cache poisoning, then every > time you casually surf the web, you're allowing for the possibility that > you will get spoofed, surf to some malware site, get served a browser > exploit, and get 0wned. That is already true, and is true regardless of the "security" of the DNS. Think hard on why this is possible: http://ex-parrot.com/~pete/upside-down-ternet.html :) Similarly, why does YouTube disappear whenever Pervez Musharraf gets cranky? > I agree that DNSSEC is the real solution. It won't, and can't, solve *any* of the problems you cited. Any attacker than can mangle my DNS traffic (and cache poisoning is hardly the only way to do that) can also just read and alter *any* non-secure-by-design plaintext network traffic. > I also think that making it easy (or even possible) to sandbox the > browsers is a real solution. I think that using strong crypto everywhere > and making fine-grained capabilities and MAC systems ubiquitous is also a > real solution. Okay, I know when I'm being trolled. :) I'll stop posting now. It's bed time anyway.