cbuxton at menandmice.com
Mon Jul 28 15:53:48 PDT 2008
You continue to completely misconstrue what people are saying, because
you want to believe this is harmless and is being blown out of
Mr. Kaminsky did not say what you said he said. Not at all.
As for the bad guys not having SSL certs, you're wrong there again.
Criminals have been known to fool a CA into issuing them a cert for
someone else's legitimate business. The DNS exploit under discussion
could even theoretically be used to accomplish this.
Men & Mice
On Jul 28, 2008, at 2:59 PM, marty wrote:
> Ok guys, Dan Kaminsky finally let the cat out of the bag,
> and demonstrated some popular software can be exploited.
> Pretty much a non-event despite all the hype.
> The only people who can fix this are the major players who
> are a bunch of fat, lazy, greedy, corporate types.
> Users are not directly vulnerable to this in most cases.
> He also made it very obvious this is far more annoyance than
> threat. Being redirected to a malware site does not present
> any real danger for Linux users or even to patched Windoze
> users. That is only the first step anyway.
> Attackers still must use a secondary vehicle to deliver the
> main attack once they have diverted you to a site they
> control. They will probably try to use a hidden Iframe
> injected into a real banking site to fool you and steal your
> password. Very old hat and only idiots will fall victim.
> Secure transactions cannot be successfully faked because the
> attackers don't have the SSL private key. Your browser will
> clearly show when the connection has unencrypted portions.
> Disconnect when in doubt. Duh.
> Web sites have much more to fear, because they can easily be
> diverted to porn sites or whatever. Totally harmless except
> from a reputation standpoint. God.com => Hotporn.com.
> oops.... actually, that might prove to be a blessing:)
> No the sky is not falling and this will pass soon.
> But watch out for that Banana vuln..It's a real killer.
> Marty B.
> Electile Dysfunction : the inability to become aroused over
> any of the
> choices for President put forth by either party in the 2008
> FAQ: http://www.linuxfromscratch.org/faq/
> Unsubscribe: See the above information page
More information about the hlfs-dev