DNS Attacks

[Les Mikesell]

Björn Persson wrote:
> 
>> If you are really paranoid (or about to do large transactions on what
>> you hope is your banking site), you could do a 'whois' lookup for the
>> target domain to find their own name servers and send a query directly
>> there for the target site.
> 
> Check that the domain name in the address bar is right, that you're using 
> HTTPS, and that the bank's certificate has been verified correctly. Then 
> you're safe, unless the attacker has *also* managed to trick one of the 
> certification authorities into issuing a false certificate, or somehow 
> sneaked a false CA certificate into your browser.

You aren't paranoid enough.  What if the spoofer is also a system 
administrator at the bank with access to a copy of the real certificate 
that he installs on the machine he's tricked your dns into reaching - 
with the expected name that you'll still see.

-- 
   Les Mikesell
    lesmikesell at gmail.com