lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue May 23 03:37:17 2006
From: brian at dessent.net (Brian Dessent)
Subject: Five Ways to Screw Up SSL

Valdis.Kletnieks@...edu wrote:
> 
> On Mon, 22 May 2006 12:02:23 EDT, Dude VanWinkle said:
> 
> > DNS foo to the client, how easy is that? Would you have to get the
> > upstream DNS server to  cache your bogus entry?
> 
> You'd be *amazed* how many are still running BIND 4 or 8....

That, or use a browser exploit or mass email to drop a small program on
the end user's machine that changes the configured values of the DNS
servers to ones that you run.  You don't even have to leave any traces
of this (like .exe files that run at startup), it could be a one-time
configuration change.  The end user would have no clue this had happened
since the malicious servers would be standard recursive resolvers, so
their net access remains fully operational... 

Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ