Date: Mon, 26 Sep 2016 17:43:40 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: freebsd-security@freebsd.org Subject: Re: Two Dumb Questions Message-ID: <20160927004340.GB1662@funkthat.com> In-Reply-To: <32084.1474872154@segfault.tristatelogic.com> References: <32084.1474872154@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ronald F. Guilmette wrote this message on Sun, Sep 25, 2016 at 23:42 -0700: > Here's my point: If you really have already managed to become > the man-in-the-middle anyway, then couldn't you just dummy up > any and all responses, including those for DNS, in such a way > as to make it all appear to the victim that everything was > "normal", you know, such that he can see the cute little > padlock symbol to the left of the URL in the browser? As for DNS, that is the reason DNSSEC has been deployed. To ensure that the response is correct. Though if the attacker completely controls your inet connection, they don't even need to do this, as they can just pretend to be any IP they want to be. Cryptography allows you to verify the identity of another party and ensuring it is not tampered with using PKI[1]. There are other forums that are better to ask how this is possible. [1] https://en.wikipedia.org/wiki/Public_key_infrastructure -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160927004340.GB1662>