[Cryptography] phishing, was Encryption opinion
John Levine
johnl at iecc.com
Tue Sep 9 13:49:03 EDT 2014
>> This battle was lost long, long ago. ISPs routinely intercept
>> NXDOMAIN DNS results and replace them with A records pointing to a web
>> server with "helpful" paid ads.
>I've always found this one complicated. If done without the end user's permission, it's an issue. But there are
>people who believe it's bad even *with* the end-user's permission - for reasons I find hard to follow.
There's a good reason and a bad reason.
The bad reason is that it violates the holy end-to-end principle, of
which the less said the better.
The good reason is that not all DNS lookups are for web pages. Pick a
service like mail, SIP, or XMPP, and add a user who mistypes an
address, or a server whose name changed. Normally NXDOMAIN will tell
the user that something's wrong, but now she gets an A record and
tries to connect to the ISP's helpful box. If she's lucky she'll get
a different error message, if she's less lucky things will fail
silently, or the server will steal her traffic.
For double extra fun, try running something like a private XMPP server
which checks incoming addresses against DNSBLs to avoid hostile bots,
a common thing to do. DNSBLs return NXDOMAIN to mean not listed,
which are helpfully corrected to an A record. Oops.
If you want to do URL correction, the reasonable place to do it is in
the browser where at least you know you're looking for a web page.
R's,
John
More information about the cryptography
mailing list