lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 31 Jul 2008 20:29:13 -0400
From: Mary and Glenn Everhart <Everhart@....com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re DNS spoofing issue discussion

To: Valdis.Kletnieks@...edu
Subject: RE: [Full-disclosure] DNS spoofing issue. Thoughts on

I chose my wording to cover not only DNSSEC but possible alternatives
that could be devised. Certs are not the only way to do it, but it
needs to be installed all over.

The BGP fixes were devised after the last meltdown, but question again
is whether they are installed. If DNSSEC had been installed, Kaminsky's 
issue
would not exist.

Since the number of sites running BGP among themselves is not that huge,
it is probably not as practical an attack vector. Last meltdown that
happened was said to be solved largely because most of the BGP site 
operators
knew each other well enough to recognize voices on the phone. Net's bigger
now tho.

The fact that the recent youtube route hijack and the kenya routing 
insecurity
incidents happened suggests that the md5 security is not in fact in 
place much
(needs predefined secrets installed and apparently people don't configure it
to do anything). That being the case, a reminder that maybe it could be 
good to
reexamine this seems not totally daft.

Glenn Everhart
Everhart@....com

(posting from home; I am the same one who has posted from work also.)


-----Original Message-----
From: Valdis.Kletnieks@...edu [mailto:Valdis.Kletnieks@...edu]
Sent: Wednesday, July 30, 2008 11:30 AM
To: Everhart, Glenn (Card Services)
Cc: pschmehl_lists_nada@...rr.com; randallm@...mail.com;
full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] DNS spoofing issue. Thoughts on


On Sun, 27 Jul 2008 14:07:03 EDT, Glenn.Everhart@c<censored>h.a.sx.com said:
 > The need for something more like ssl certs in there remains

It's called DNSSEC, which has been out for a decade and more.

 > (Also needed for bgp I suspect).

RFC2385 (TCP MD5 protection for BGP) addresses most of the issues, at least
on a peer-to-peer basis, and has been out for a decade.  There's a 
discussion
of the issues in RFC5123.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ