NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: Liability issues in ISP-injected ad systems?


Kelly's point is perhaps the most important in my opinion; diversion of NXDOMAIN seriously wreck the confidence anyone can have in protocols that expect either to get to the right destination or be told it does not exist. this also underscores the desirability of having a way to authenticate the destination you reach, independent of the DNS lookup. "HI, you're supposed to be mumble.foo - please prove it by encrypting this random challenge N in your private key so I can verify you're you with your public key" - and yes, I understand the messy problem with certificates and revocation, etc.

v

On Apr 21, 2008, at 2:44 PM, Kelly Setzer wrote:

Rich Kulawiec wrote:
On Sun, Apr 20, 2008 at 04:07:19PM -0600, Brett Glass wrote:

It is unclear why this would create any more or different vulnerabilities
than one might expect from any other site which contained third party
advertising.



One of the negative consequences of this (although it might arguably be considered an existing vulnerability) is that failure to properly return NXDOMAIN breaks any number of anti-spam measures.


Some VPN software depends on NXDOMAIN as a hint to retry a request over the VPN. Last time I checked, the AEPNetworks SmartPass/ SmartGate product does this.


Another really stunning problem is the consequence of DNS alteration when mixed with administrative mistakes. A few years ago, Microsoft inadvertently allowed their passport.net domain to expire. It was removed from the root servers and access to hotmail.com and other Microsoft properties was substantially broken. I suspect that Microsoft would greatly prefer that passport.net be broken while they worked to renew the domain registration. Having their customers directed to advertisements they have no relation to or control over would not, in my mind, be good for their business. The fact that the domain in question is intimately involved in authentication increases the risk. Six Apart's typekey identity manager would be similarly affected (typekey.com).

Kelly