Cache poisoning vulnerability found in BIND
Posted Jul 26, 2007 2:15 UTC (Thu) by elanthis
Parent article: Cache poisoning vulnerability found in BIND
Fortunately, SSL solves this problem for secure sites. Even if you end up at the attacker's site, you will get an invalid cert warning.
One of the things IE7 does far, far better than Firefox is the invalid SSL cert dialog. On Firefox, you get a popup. Users just hit OK. On IE7, you get a big huge scary warning page that makes it very clear something is wrong.
One of our support guys asked me the other day what the weird popup he was getting was all about. He'd been getting it for a few weeks, but had always hit OK and never bothered reading it. He got a phone call from a user on IE7 who was freaking out about a funny page that always came up before the site that said his site was insecure and broken. The SSL cert on the client's site had expired. Our relatively experience tech hadn't realized because he, like 99% of users, ignore popups and hit OK, where-as the client on IE7 was given a very visible and difficult to ignore warning.
Firefox should be doing the same thing as IE7. I'd go so far as to say that it should even just refuse to access sites with invalid SSL certs unless the user manually adds it to a white-list, and even then it should give the IE7 warning. The only reason you should ever have to use an invalid cert is for testing, and if you're just testing you can put up with the hassle.
to post comments)