From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 07:02:39 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F7191065687 for ; Thu, 10 Jul 2008 07:02:39 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id 1E6D68FC15 for ; Thu, 10 Jul 2008 07:02:38 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m6A72VV4011126; Thu, 10 Jul 2008 17:02:31 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200807100702.m6A72VV4011126@drugs.dv.isc.org> To: Chris Palmer From: Mark Andrews In-reply-to: Your message of "Wed, 09 Jul 2008 22:21:52 MST." <48759C70.2060705@noncombatant.org> Date: Thu, 10 Jul 2008 17:02:31 +1000 Sender: marka@isc.org Cc: Jason Stone , freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 07:02:39 -0000 > Jason Stone wrote: > > > So you say, "But I don't send important information over that > > connection, nor do I trust the information I get back?" Maybe. I think > > that the AOL data leak fiasco proved that, while people don't generally > > think of search queries as sensitive, they really kind of are. And you > > almost certainly place _some_ trust in the results you get back; I mean, > > you're not reading them purely as fiction. > > I validate such unauthenticated information at the human layer. Have to -- > even when nobody has tampered with DNS, BGP, or HTTP, the stuff at > nytimes.com and wikipedia.org is still often false. > > > So, if your DNS resolver is vulnerable to cache poisoning, then every > > time you casually surf the web, you're allowing for the possibility that > > you will get spoofed, surf to some malware site, get served a browser > > exploit, and get 0wned. > > That is already true, and is true regardless of the "security" of the DNS. > > Think hard on why this is possible: > > http://ex-parrot.com/~pete/upside-down-ternet.html > > :) > > Similarly, why does YouTube disappear whenever Pervez Musharraf gets cranky? > > > I agree that DNSSEC is the real solution. > > It won't, and can't, solve *any* of the problems you cited. Any attacker > than can mangle my DNS traffic (and cache poisoning is hardly the only way > to do that) can also just read and alter *any* non-secure-by-design > plaintext network traffic. DNSSEC won't stop all attacks. It does however stop some attack vectors. Others, like the man in the middle attack above, it won't stop. > > I also think that making it easy (or even possible) to sandbox the > > browsers is a real solution. I think that using strong crypto everywhere > > and making fine-grained capabilities and MAC systems ubiquitous is also a > > real solution. > > Okay, I know when I'm being trolled. :) I'll stop posting now. It's bed time > anyway. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org