neil.greenwood.lug at gmail.com
Thu Nov 23 08:02:41 GMT 2006
On 19/11/06, Tony Arnold <tony.arnold at manchester.ac.uk> wrote:
> Robert K. Day wrote:
> > On Saturday 18 November 2006 23:46, Tony Arnold wrote:
> > [snip]
> >> As it is, there is no guarantee the site is owned by
> >> who you think it it
> > [snip]
> > Well, there is; it's a .gov.uk address, which isn't publically registerable
> > and is only used for government websites.
> That is not sufficient to make it secure! There are plenty of viruses,
> for example, which plant fake entries in a PC's hosts file (usually on
> Windows, I might add). This could be used to redirect to a fake version
> of the site. The site itself could be hacked and then redirect requests
> to a fake version of the site. And I won't even mention IP address
> spoofing, although that may be a bit harder.
> Maybe I'm paranoid, but I'm paid to be that way!
Also, how do you get the IP address for the .gov.uk hostname? If
someone has attacked your ISP's DNS entries, you never know where
you're actually going.
I know it's not terribly likely, but it has happened, and DNS was
never designed with that sort of security in mind (c.f. email and
telnet being sent in plain text).
Just because you're paranoid, doesn't mean they're not out to get you! :-)
More information about the ubuntu-uk