From owner-freebsd-security@freebsd.org Tue Sep 27 01:01:15 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68918BEA58F for ; Tue, 27 Sep 2016 01:01:15 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49F7A8E9 for ; Tue, 27 Sep 2016 01:01:14 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id u8R0hedG051195 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 26 Sep 2016 17:43:40 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id u8R0heaj051194; Mon, 26 Sep 2016 17:43:40 -0700 (PDT) (envelope-from jmg) Date: Mon, 26 Sep 2016 17:43:40 -0700 From: John-Mark Gurney To: "Ronald F. Guilmette" Cc: freebsd-security@freebsd.org Subject: Re: Two Dumb Questions Message-ID: <20160927004340.GB1662@funkthat.com> Mail-Followup-To: "Ronald F. Guilmette" , freebsd-security@freebsd.org References: <32084.1474872154@segfault.tristatelogic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <32084.1474872154@segfault.tristatelogic.com> X-Operating-System: FreeBSD 11.0-ALPHA2 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Mon, 26 Sep 2016 17:43:41 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2016 01:01:15 -0000 Ronald F. Guilmette wrote this message on Sun, Sep 25, 2016 at 23:42 -0700: > Here's my point: If you really have already managed to become > the man-in-the-middle anyway, then couldn't you just dummy up > any and all responses, including those for DNS, in such a way > as to make it all appear to the victim that everything was > "normal", you know, such that he can see the cute little > padlock symbol to the left of the URL in the browser? As for DNS, that is the reason DNSSEC has been deployed. To ensure that the response is correct. Though if the attacker completely controls your inet connection, they don't even need to do this, as they can just pretend to be any IP they want to be. Cryptography allows you to verify the identity of another party and ensuring it is not tampered with using PKI[1]. There are other forums that are better to ask how this is possible. [1] https://en.wikipedia.org/wiki/Public_key_infrastructure -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."