DNS spoofing and poisoning..

Troy Benjegerdes hozer at hozed.org
Sat May 21 18:37:17 PDT 2005


On Sat, May 21, 2005 at 04:00:25PM -0500, Mark wrote:
> Troy Benjegerdes wrote:
> 
> >Is there anything in the current protocol to mitigate DNS spoofing
> >and cache poisoning attacks?
> >
> > 
> >
> I wouldn't think anything less than a third-party Certificate Authority 
> could prevent such attacks.

Well, it'd be nice if there was a mechanism for sites to exchange keys
so they don't have to depend on a certificate authority. So say
Livejournal and Deadjournal could exchange keys. And for users that are
technically savvy enough, give them some interface to manage per-user
keys.

There are various web-of-trust things that could be done to accomplish
this. Like maybe Livejournal could provide public keys of people I say I
trust in my foaf data.

I suppose the only point really apropriate for the openid discussion is
I'd like to see an (optional) mechanism other than just trusting DNS to
verify ownership of a particular URL. Two things that come to mind are
using SSL/X509 certificates (and this should support self-signed
certificates), or something like PGP.


More information about the yadis mailing list