Cronk
join:2005-07-16
Denver, CO
| Avoid DNS poisoning?
Since my wife continues to do online banking, and in light of the current DNS bugs, I am wondering if it would be a good idea to create a shortcut that links to her banking site using its IP address, instead of its name. Would this be an extra layer of protection?
Thanks |
|
mysec
Premium
join:2005-11-29
| Yes - this bypasses name resolution.
The concept of DNS Cache Poisoning, aka Pharming, is nothing new:
DNS Poisoning Scam Raises Wariness of 'Pharming'
»news.netcraft.com/archives/2005/···ing.html
For sites where users transact business, I've always advocated using the IP address, and also setting up Custom Addresses in the Firewall rules for Port 443.
--- |
|
sivran
God Save The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
 ·RoadRunner Cable
·Comcast
| reply to Cronk
You could also resolve the name with a known-safe DNS such as OpenDNS (208.67.222.222) or Level3 (4.2.2.1) (be sure to check it first) and then stick it in your hosts file. Some sites may not like being accessed directly by IP.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
 ·AT&T Southeast
·Comcast
| said by sivran  :You could also resolve the name with a known-safe DNS such as OpenDNS (208.67.222.222) or Level3 (4.2.2.1) (be sure to check it first) and then stick it in your hosts file. Some sites may not like being accessed directly by IP. Especially an HTTPS site such as an on-line banking site, since it would be unlikely (although not impossible) that the SSL certificate would match the IP address as well as the FQDN.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| reply to Cronk
Since my wife continues to do online banking, and in light of the current DNS bugs, I am wondering if it would be a good idea to create a shortcut that links to her banking site using its IP address, instead of its name. I don't recommend that, because it defeats virtual web hosting and that can sometimes cause problems.
If you really want to use the IP address, then add a hosts file entry for that bank that links hostname to IP. Then continue to use hostname.
The cache poisoning problem should not be a big risk for banking, if you make sure that you are using an SSL encrypted page, and you take note of browser certificate warnings.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0 |
|
seaman
Premium
join:2000-12-08
Seattle, WA
| reply to sivran
said by sivran :You could also resolve the name with a known-safe DNS such as OpenDNS (208.67.222.222) or Level3 (4.2.2.1) (be sure to check it first) and then stick it in your hosts file. Some sites may not like being accessed directly by IP. I have been wondering what the end user can do to limit his/her exposure to this exploit. After reading these suggestions I was wondering if someone might be willing to start a new thread explaining how to implement these (and other) good suggestions for the many interested but non-expert users that peruse this forum.
Mainly providing guidance and clarification on issues such as-
1. How do you determine the IP address of your favorite secure (banking) sites?
2. Where to enter alternative DNS entries? (Router or PC)
3. How and why would it help to edit the Hosts file? |
|
mysec
Premium
join:2005-11-29
edit:
July 25th, @02:14PM
| reply to nwrickert
said by nwrickert :said by cronk :
...would be a good idea to create a shortcut that links to her banking site using its IP address, instead of its name. I don't recommend that, because it defeats virtual web hosting and that can sometimes cause problems.
Can you elaborate? Does this pertain to a home user?
|
|
HA Nut
Premium
join:2004-05-13
USA
edit:
July 25th, @02:28PM
| If I understand correctly, as nwrickert noted, one IP address can host several/many www sites. In cases like that, the IP address only browsing setup would not work... |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
edit:
July 25th, @02:39PM
| correct
An additional problem is that IP browsing may give you a certificate error. The browser compares the website name in the url you used with the name on the certificate. If one is an IP address, and the other is a hostname, these won't match. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | reply to HA Nut
Putting the host name and IP into the hosts file will work though, both for certificate and virtual hosts scenarios. |
|
planet
join:2001-11-05
Olmsted Falls, OH
·Cox HSI
| quote:
Putting the host name and IP into the hosts file will work though, both for certificate and virtual hosts scenarios.
Can someone explain how this is entered. I've always used a hosts file to block my pc from a site (ie):
127.0.0.1 dslreports.com |
|
PetePuma
How many lumps do you want
Premium,MVM
join:2002-06-13
Arlington, VA | Instead of putting 127.0.0.1, you put the legitimate IP address of a site into the hosts file.
Just be sure it is the legitimate IP.  |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to Cronk
The downside of using an IP (via the hosts file) is that IP addresses change.
So you may not be able to get to a site if you add it to the hosts file and the IP changes. If a large number of users began to use the hosts file, the first step in troubleshooting the inability to get to a web site will need to be a check on the IP used by the surfer against an IP from a DNS server.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
Cronk
join:2005-07-16
Denver, CO
| reply to Cronk
After reading the responses here, I’m still uncertain what I might do on my wife’s computer for an extra level of security, not just for the present threat, but for other future DNS threats that may come along.
From what I’ve read above, accessing a bank site by IP address may not work because the SSL certificate may not match the ip address. And because one IP address can host multiple websites.
Would that then mean that an entry in the hosts file would not work either, since the hosts file is just another way to lock in to a certain IP address for the bank site?
Thanks |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| With a hosts file entry, the browser uses the hostname, and that is translated to IP address using the hosts file. This is very similar to having the hostname translated to IP using DNS.
The only problem with using a hosts file entry, is that sometimes IP addresses are changed for legitimate reasons. And then the data in your hosts file will be wrong.
Honestly, for banking, simplest is to continue to rely on DNS, but be alert on whether you are connected to a secure web page (padlock showing in browser, or other similar indicator), and to pay attention to any certificate warnings from the browser. If something looks wrong, don't proceed with the banking transaction.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0 |
|
Cronk
join:2005-07-16
Denver, CO
edit:
July 26th, @11:39AM
| reply to Cronk
Maybe I am dense and missing something here, but if I use a hosts file entry and select an IP address for a site name, isn't the end result the same as if I created a shortcut with that IP address??
BTW I do understand what you are saying about the IP address may change for the site, just trying to understand all this. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
edit:
July 26th, @11:58AM
| The end result is the slightly different then using a IP number in the browser. (as nwrickert has pointed out.) You still use names to tell the Browser where to surf, and the Browser still does a DNS lookup, BUT it checks the HOSTS file first (as part of the lookup) to see if the name to IP translation is in the Hosts file. This allows you to set a static IP for a NAME but still allows the Browser to check for certificates and tell the server the site it is trying to access.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| reply to Cronk
Let's use an example. Suppose you add to your hosts file:
1.2.3.4 www.mybank.com
If you create a shortcut or a bookmark using the IP address "1.2.3.4", then
Your browser connects to 1.2.3.4
Your browser tells the server "I am fetching web pages for 1.2.3.4"
Your browser checks that any security certificate has 1.2.3.4 as the server name
If, instead, you use the hostname "www.mybank.com" in your shortcut or bookmark:
Your browser looks up that name, and then connects to 1.2.3.4
Your browser tells the server "I am fetching web pages for www.mybank.com"
Your browser checks any security certificate to see that it has www.mybank.com as the server name.
Where your browser connects is the same. How your browser behaves on that connection is different.
I hope that helps.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0 |
|
Cronk
join:2005-07-16
Denver, CO
| reply to nwrickert
OK thanks for the explanation, got it now.
said by nwrickert :simplest is to continue to rely on DNS, but be alert on whether you are connected to a secure web page Are the bad guys not able to create a phony page that is also secure? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T Midwest
| The certificate contains the true name of your web site, and is digitally signed by a certification authority.
The bad guys can easily create a phony page that is secure. But they cannot have the name of the bank site on the certificate unless they were able to trick the certification authority to sign their certificate.
For sure, certification authorities sometimes make mistakes. But those are rare. It would be very difficult for the bad guys to succeed at this.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0 |
|
