Other Software > Developer's Corner
The internet hijacked
iphigenie:
--pedantic mode--
you can run multiple ssl servers on one IP, alhough you have to use non standard ports - thats the way it is often done especially if you have load balancers in front which can hide the non standard port
--shuts up--
Although the story of the root server is incredible - how could someone just snatch that IP like that...
Thankfully most of DNS never goes all the way up to the root server so the effect might not have been as bad.
Deozaan:
Another WTF is that the IP address was changed in the first place. Now, the server might have needed to be moved to a different facility or what do I know, but when you're dealing with servers that have (and need) their IPs hardcoded in various places, you simply don't change that IP, period. And if it has to be done, for some extremely critical reason, you especially do not give up the old IP for grabs.
-f0dder (May 20, 2008, 08:20 AM)
--- End quote ---
I'm not sure if it's the real Bill Manning, but a user in the comments named Bill Manning said this:
Why was ICANN using the EP.NET address space?
It was assigned to "L" when I created it in 1996. ICANN should have renumbered when they took over "L". They did -not- and have been squatters on the space. They now threaten legal action if I announce my own space. This is a sad state of affairs.
--- End quote ---
I admit my own ignorance on what all these things truly mean, but if I understand it correctly, this is the reason why the IP address changed.
Lashiec:
What we need is a tinfoil hat :D
In theory, the newer browsers have a better system to warn the user about invalid certificates (using color codes and less cryptic dialogs). Then again you know what they say about the universe producing better and bigger idiots, including quite some webmasters.
Anyway, what troubles me the most is they don't have a clue about who and why :S
Gothi[c]:
https on alternate ports is a good solution but is not always an option, and it puts an ugly semicolon in the url (believe it or not, many people find this enough reason to not use it.)
Renegade:
I only want to comment on a couple things here that f0dder brought up. (Other comments have been done.)
There's a couple of WTFs here... one is that so many of the internet protocols we use have gaping security holes - something as critical for the whole internet infrastructure as the root DNS servers ought to have some form of cryptographic verification applied. I do realize it's basically impossible to change something as established as the DNS protocol, though, and that crypto verification would be very costly on something as high-volume as root DNS servers.
-f0dder (May 20, 2008, 08:20 AM)
--- End quote ---
Correct in every way. The cost would be impossible to cover.
Another WTF is that the IP address was changed in the first place. Now, the server might have needed to be moved to a different facility or what do I know, but when you're dealing with servers that have (and need) their IPs hardcoded in various places, you simply don't change that IP, period. And if it has to be done, for some extremely critical reason, you especially do not give up the old IP for grabs.
-f0dder (May 20, 2008, 08:20 AM)
--- End quote ---
This is what I don't get. How the Hell could that happen?
Changing like that is simply insane!
As for SSL, it protects you against casual snooping and tampering, but afaik as soon as there's a man-in-middle (exploited router, carnivore box at your ISP, ...) you're game over anyway.
-f0dder (May 20, 2008, 08:20 AM)
--- End quote ---
There is no MITHM attack with SSL. That's what SSL stops. If it's a MITHM attack for DNS, you're screwed. But for regular HTTPS traffic to a web site, then you're safe. SSL is client to server security. Which doesn't cover DNS...
Are you talking about something else there? I'm curious. I don't know of any "real" SSL attacks. There are some that involve ISPs and trusted intermediaries but those are special cases and not for regular Internet connections.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version