User: Password:
|
|
Subscribe / Log in / New account

Cache poisoning vulnerability found in BIND

Cache poisoning vulnerability found in BIND

Posted Jul 26, 2007 13:15 UTC (Thu) by tialaramex (subscriber, #21167)
In reply to: Cache poisoning vulnerability found in BIND by elanthis
Parent article: Cache poisoning vulnerability found in BIND

Ah, you're not thinking like a security professional.

Suppose we make it so that _invalid_ certificates just don't work

Attackers may be able to obtain an _expired_ certificate, but that's OK we'll make sure those don't work either.

Or they can create a _self-signed_ certificate just as easily. Maybe we should make those not work?

At this point users will refuse to use your browser, because lots of sites that are concerned about snooping, but not about impersonation, use SSL with certificates that are self-signed (or signed by an unknown CA) to avoid the high cost of a "real" SSL certificate. Users will go to great lengths to bypass security that they regard as excessive or unwieldy.

Since, to an attacker, invalid and self-signed certificates are just as easy to make / obtain, there is no point to what IE did here AFAICT.


(Log in to post comments)

Cache poisoning vulnerability found in BIND

Posted Jul 29, 2007 23:49 UTC (Sun) by dlang (subscriber, #313) [Link]

as for avoiding the "high cost of 'real' SSL certs", they are only really expensive if you buy them from the wrong place. you can get 'real' ssl certs for <$100 individually, and if you are a company that needs a lot of them you can get them in quantity for <$50 (you also don't have to get certs that expire after one year either)

the fact that some people think it's necessary to pay $900 per year for a cert is a testimate to stupidity and marketing.

and frankly if you consider $50 or $100 too expensive then I question if what you are protecting is worth bothering with SSL in the first place.

Self signed certs are not a problem if you use them properly and have the users tell their browsers to install it as a valid cert, but just using them without giving the users a way to do this and expecting them to click through the cert warning is bad for everyone and provides little security to your users.

SSL Certificate costs...

Posted Jul 30, 2007 15:28 UTC (Mon) by cdmiller (subscriber, #2813) [Link]

If you have 50 FQDN's that need SSL, your looking at a $2500 - $5000 per year expense. Is that a lot to pay given the questionable trustworthiness of the major cert vendors, and the ease of generating a self signed certificate? For $5000 one can easily find hardware capable of hosting 50 domains, an additional $5k can make this redundant, so the current cost of a "browser approved" SSL cert is exorbitant in many situations.

Cache poisoning vulnerability found in BIND

Posted Jul 31, 2007 11:26 UTC (Tue) by cortana (subscriber, #24596) [Link]

... lots of sites that are concerned about snooping, but not about impersonation, use SSL with certificates that are self-signed (or signed by an unknown CA) to avoid the high cost of a "real" SSL certificate.

But the assurance that one is not being snooped strictly requires the assurance that one is not being impersonated.

Cache poisoning vulnerability found in BIND

Posted Jul 31, 2007 16:02 UTC (Tue) by zlynx (subscriber, #2285) [Link]

Using a self-signed SSL cert still raises the bar considerably. Especially if you immediately save it in your cert DB. Just like using SSH and saving the remote system key for the first time.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds