Where Public Key Cryptology is used properly the attacker cannot impersonate a legimate sender -- or modify the legitimate sender's traffic -- without discovery.
"User properly" is a tall order though, and x.509 as implemented today skips over the most important part of this requirement, that being that each of us needs to authenticate the keys we choose to trust.
authentication problems are a huge part of the trouble we have in electronic security today and sadly too many good people havn't had a chance to understand the capability that PGP, GnuPG, or Public Key Encryption can provide.
There is a support wire/mail list for Thunderbird/Enigmail available for anyone interested . I was delighted to find GnuPG included by default with my Ubuntu system. For Thunderbird, to get started you just click on Tools ~ get add-ons ~ get and install Enigmail. then generate your keypair. my public key is on the server.
Last edited by mike acker; November 24th, 2012 at 06:28 PM.
DNS Poisoning was quite the issue a few years back but the issue faded out when the DNS Server Operators added an authentication requirement for updates... imagine that"Security is a function of the resources your adversary is willing to commit," said Julian Sanchez, an attorney with the Cato Institute in Washington, D.C.
IMHO (as usual ) the computer industry -- from the advent of the microprocessor ( c.1980) until around 2004 took a pretty slip-shod approach to security
hacking started as a prank with stuff like the "Pakistani Brain", "Your Computer is Stoned, Man, get some good weed " , to "Falling Letters" &c
but it has graduated to Zeus and the new & Improved Black Hole Exploit Kit and other kits that produce as much as 1 new virus sample per second, 24/7.
the industry has been slow to respond but I think they are "getting it": letting a computer run any program that is thrown at it is a recipie for trouble.
as a result we are seeing the development of approved libraries. even Google/Android seems to have headed in this direction in the last month or so
with virus cropping up at 1 a second or better searching for known virus is not a solution. we have to move to the approved library model. this is discussed in the anti-virus sticky notes we have on our forum.
Fundamentally we have 3 main type of software:
- your Operating System
- your installed applications
- transient software: java script, flash objects, .net, Visualbasic, php, xss, sql injections, iFrames etc. These are "scripting" components of web pages, word documents, excel sheets and such
The first 2 types can easily be controlled by simply authenticating updates.
The 3d class is more difficult. the first thing to do is to 'sandbox' the program you use for interpreting the web pages and other documents that are sent to you
i have AppArmor applied to my Firefox browser for this reason now. Hopefully we will see more discussion of this fine product.
The key we are looking for is to insure that some sort of transient script is not able to surreptitiously add a 'plug in' to your interpreter (Firefox, Word, etc ) .
Hello, so the gist of your post is that just setting trusted DNS servers on my computer is not good enough and I should use some kind of encryption such as the one provided by DNSCrypt. Is that right? If yes, do I have some option other than DNSCrypt? Hopefully something that is straight forward to set up and for which packages are available in the ubuntu repositories?
Can someone please help me here?
There wouldn't be anything in the repositories, but there are packages created by OpenDNS developers apparently. Check out this post for links and instructions. As far as I know, DNSCrypt is the only thing like it that is available and easy to use.
Do keep in mind that the only problem this really solves is that of your ISP returning a landing page of their choosing instead of an error page that the standards actually dictate (and apparently OpenDNS also redirects to landing pages if you just use their servers without setting up an account and make a request for a domain that doesn't exist). The article linked in the original post was about that, and not about attackers. If there are indeed problems with DNSCrypt working in Ubuntu then it's likely not worth it.
If you're worried about an attacker and not your ISP, I wouldn't. Since you have locally specified DNS servers by IP address on your computer itself, an attacker would have to have compromised either your ISP, the ISP used by OpenDNS for their servers, the backbone provider between the two, or the actual DNS server that you're connecting to. All of those things are very unlikely, but they are also completely out of your control. If those systems were under the control of an attacker, you wouldn't be able to do anything about it and you also probably wouldn't have any way to know it was even happening.
I don't really want to add to the paranoia, but I'm not sure how much you could trust DNScrypt when it's needed anyway.
The default behaviour of DNScrypt in Windows is to fail over to unencrypted if encrypted traffic is rejected. In windows the GUI allows you to change this default easily.
I don't know what the default behaviour is in Linux. If it's the same as Windows (which seems logical since it's the same basic application) then presumably all the bad man in the middle trying to spoof your ISP or DNS has to do is reject encrypted traffic and DNScrypt will helpfully provide the information unencrypted?
I guess there will be a DNScrypt config file that allows me to interrogate/edit the Linux defaults, but I haven't spotted it.