Re: Versign creates man-in-the-middle attack on DNS

[Scott Guthery]

Let's see ... you type in a URL that isn't working and you
are immediately bound by a long list of conditions ...

AGREEMENT TO BE BOUND.
By using the service(s) provided by VeriSign under these Terms of Use, you
acknowledge that you have read and agree to be bound by all terms and
conditions here in and documents incorporated by reference.

Makes the RIAA look like Mother Teresa.

Cheers, Scott

- Original Message - 
From: "R. A. Hettinga" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Orig-To: "Philodox Clips" <[EMAIL PROTECTED]>
Sent: Tuesday, September 16, 2003 12:37 AM
Subject: Re: Versign creates man-in-the-middle attack on DNS


>
> --- begin forwarded text
>
>
> Status:  U
> Date: Tue, 16 Sep 2003 15:04:51 +1200 (NZST)
> Subject: Re: Versign creates man-in-the-middle attack on DNS
> From: "Kerry Thompson" <[EMAIL PROTECTED]>
> To: "Tim May" <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> User-Agent: SquirrelMail/1.4.1
> Sender: [EMAIL PROTECTED]
>
> Tim May said:
> >
> > I didn't get a Verisign page...I go the usual error.
> >
> > "Could not open the page http://www.thisisjunk55666.com/ because the
> > server www.thisisjunk55666.com could not be found."
> >
>
> Try http://www.thisisjunk55666.net - I think .com hasn't been switched or
> hasn't propagated yet.
>
> Result is an ugly Verisign search engine page.
>
> Kerry
>
> --- end forwarded text
>
>
> -- 
> -
> R. A. Hettinga 
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: Versign creates man-in-the-middle attack on DNS

[Tim May]

On Monday, September 15, 2003, at 07:24  PM, Neil Johnson wrote:

Just a few hours ago Versign modified the Internet's root DNS servers 
to
respond to ANY DNS lookup that doesn't resolve in a real hostname to 
return
the IP address of one their servers where they claim to have a search 
engine.

For example, if you access http://www.thisisjunk55666.com , you will 
get a
Verisign page, not a "Host can not be found error".

This means that many anti-spam checks will fail among other issues.

They will also intercept mail to mistyped email hosts (They claim to 
reject
the mail, but not after having collected the From and To address).

This really bites.
I didn't get a Verisign page...I go the usual error.

"Could not open the page http://www.thisisjunk55666.com/ because the 
server www.thisisjunk55666.com could not be found."

--Tim May

"We are at war with Oceania. We have always been at war with Oceania."
"We are at war with Eurasia. We have always been at war with Eurasia."
"We are at war with Iraq. We have always been at war with Iraq.
"We are at war with France. We have always been at war with France."

Re: Versign creates man-in-the-middle attack on DNS

[Neil Johnson]

Official notice from verisign.

Today VeriSign is adding a wildcard A record to the .com and .net
zones.  The wildcard record in the .net zone was activated from
10:45AM EDT to 13:30PM EDT.  The wildcard record in the .com zone is
being added now.  We have prepared a white paper describing VeriSign's
wildcard implementation, which is available here:

http://www.verisign.com/resources/gd/sitefinder/implementation.pdf 

By way of background, over the course of last year, VeriSign has been
engaged in various aspects of web navigation work and study.  These
activities were prompted by analysis of the IAB's recommendations
regarding IDN navigation and discussions within the Council of
European National Top-Level Domain Registries (CENTR) prompted by DNS
wildcard testing in the .biz and .us top-level domains.  Understanding
that some registries have already implemented wildcards and that
others may in the future, we believe that it would be helpful to have
a set of guidelines for registries and would like to make them
publicly available for that purpose.  Accordingly, we drafted a white
paper describing guidelines for the use of DNS wildcards in top-level
domain zones.  This document, which may be of interest to the NANOG
community, is available here:

http://www.verisign.com/resources/gd/sitefinder/bestpractices.pdf

Matt
--
Matt Larson <[EMAIL PROTECTED]>
VeriSign Naming and Directory Services

-- 
Neil Johnson
http://www.njohnsn.com
PGP key available on request.

Re: Versign creates man-in-the-middle attack on DNS

[Kerry Thompson]

Tim May said:
>
> I didn't get a Verisign page...I go the usual error.
>
> "Could not open the page http://www.thisisjunk55666.com/ because the
> server www.thisisjunk55666.com could not be found."
>

Try http://www.thisisjunk55666.net - I think .com hasn't been switched or
hasn't propagated yet.

Result is an ugly Verisign search engine page.

Kerry

Re: Versign creates man-in-the-middle attack on DNS

[Neil Johnson]

On Monday 15 September 2003 09:50 pm, Tim May wrote:

>
> I didn't get a Verisign page...I go the usual error.
>
> "Could not open the page http://www.thisisjunk55666.com/ because the
> server www.thisisjunk55666.com could not be found."

Try:

http://www.bfafasfas.com

Word on the North American Network Operators Group (NANOG) mailing list is 
that some major ISP's are null routing the address of the verisign server in 
protest.

The DNS name for the site you are redirected to is 

http://sitefinder.verisign.com . It's IP Address is 64.94.110.11

If you can't get to the Address, it has probably been null-routed.

There is an article on slashdot already:

http://slashdot.org/article.pl?sid=03/09/16/0034210

-- 
Neil Johnson
http://www.njohnsn.com
PGP key available on request.

Versign creates man-in-the-middle attack on DNS

[Neil Johnson]

Just a few hours ago Versign modified the Internet's root DNS servers to 
respond to ANY DNS lookup that doesn't resolve in a real hostname to return 
the IP address of one their servers where they claim to have a search engine.

For example, if you access http://www.thisisjunk55666.com , you will get a 
Verisign page, not a "Host can not be found error".

This means that many anti-spam checks will fail among other issues.

They will also intercept mail to mistyped email hosts (They claim to reject 
the mail, but not after having collected the From and To address).

This really bites.

-- 
Neil Johnson
http://www.njohnsn.com
PGP key available on request.