On Monday, July 22, 2002, at 04:49 , Ryan Finnie wrote:
> FYI, you have to be able to read hostmaster@<first host down
> the tree to
> have an mx record> to get a cert -- 'hacking DNS' won't help you there,
> young apprentice.
Huh? Last time I checked, reading mail at hostmaster@whatever ==
having the right MX record at whatever. Which would just be
hacking (or cracking, depending on what I do with it) DNS.
Am I not correct that if I were to manage to insert --- through
poisoning, plain machine cracking, etc.,
@ IN MX 0 my.mail.gateway.
to example.com's zone, I could get certified as anything-I-
want.example.com?[0]
If so, then there is little point in these certificates. Eve
can't read the conversation regardless of if a certificate is
used; no authentication is required to thwart Eve. Public-key
alone does that. Mallory, however, can still do his dirty work:
He can, by intercepting and modifying your DNS queries, be
certified as whoever he wants. He can them launch a undetectable
man in the middle attack.
If I'm missing something obvious, please tell me. But I don't
see how your unauthenticated queries can possibly establish
identity.
[0] Some day, hopefully, DNSSec will be in wide use, and
everything will be
signed. But that day is not today.
>
> RF
> (the moron who created opencerts.com)
--
general wireless list, a bawug thing <http://www.bawug.org/>
[un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
