what is the safest online connection? Cable line or dial-up?

[BC_Programmer]

and no DNS attack will have proper Certificates. It's a completely different IP address being provided by the compromised

This is not clear and can be misleading. DNS, IP and SSL are each a topic for discussion. Can somebody explain this to him?

Sorry my grammar didn't meet your strict standards.

DNS converts a NAME into an IP address. a "DNS attack" would change the IP address being returned when doing a name lookup for an IP address.


HOWEVER: this "fake" site will NOT have the SAME SSL certificate as the real site whose  IP address would have been given via a non-hijacked DNS. Almost all browsers display an alert; any "safe surfer" will NOT give such a web-site personal information.


You cannot talk about a Domain-Name server without talking about IPs, and you cannot talk about SSL without talking about domain name servers.

[Geek-9pm]

You cannot talk about a Domain-Name server without talking about IPs, and you cannot talk about SSL without talking about domain name servers.

Wrong again! One step at a time.
First learn what DNS is, then we can talk about SSL.

Look at the address line on this forum. On mine ist says:

http://www.computerhope.com/forum/index.php?action=post;topic=74139.30;num_replies=30

When I do a trace I get:

Code: [Select]

TraceRoute to 69.72.169.241 [computerhope.com]
I have no way to verify this with SSL with my browser. The connection I had with this server was not SSL. Now he may have verified the information with SSL, but I have to take his word for it. So SSL does not here offer me proof of the validity, trust, safety and accuracy of the information. Nor was I given the choice of a SSL verification. Yet  I believe that the IP address given is that of Computer Hope, because further checking shows that is from the registered name server for computerhope.com and there was no use of SSL o my part to confirm this information.Do you think I should use SSL here just to be sure? Could be a scam! Maybe this is not computerhipe.com and maybe you are not the person who I am talking to because I did not use SSL. Oh My! No SSL! what shall we do! 
Look here:

Retrieving DNS records for computerhope.com...

DNS servers
ns2.mrhope.com [69.72.169.242]
ns1.mrhope.com [69.72.169.241]

Answer records
computerhope.com   1   MX   
preference:   0
exchange:   computerhope.com
   14400s
computerhope.com   1   SOA   
server:   ns1.mrhope.com
email:   [email protected]
serial:   2008110502
refresh:   86400
retry:   7200
expire:   3600000
minimum ttl:   86400
   86400s
computerhope.com   1   NS   ns2.mrhope.com   86400s
computerhope.com   1   NS   ns1.mrhope.com   86400s
computerhope.com   1   A   69.72.169.241   14400s

Authority records

Additional records
computerhope.com   1   A   69.72.169.241   14400s
ns1.mrhope.com   1   A   69.72.169.241   14400s
ns2.mrhope.com   1   A   69.72.169.242   14400s

Still no mention of SSL at this level. And no need for it.  Yes, SSL is important and something we can talk about. Bt not together. Unless talking about them tailgater is the topic.  I was talking about "Major DNS Attack" which is not prevented, in whole or in part, by SSL certificates. Now it may be that someday we might have to do all communication with SSL. It might come to that. At the present time, to suggest that we need SLL for all web surfing is paranoiac carping . To say that all DNS is covered by SSL is just not true.
DNS is not SSL, and SSL is not DNS. Ay least not yet.

[BC_Programmer]

TCP/IP can only connect to an IP address.

a Domain Name Server converts a more human-readable symbol (URL) into the corresponding IP address.

there are two DNS hijack methods. One on the client, which simply changes the HOSTS file so that attempts to connect to the intended target site (say, www.tdcanadatrust.com) don't even get to the point of resolving via DNS since the HOSTS file explicitly states a IP address to connect to instead, which turns out to be the phishing site, which looks exactly the same.


a Server based DNS compromise would involve the actual DNS server machine being infected. It could thus be manipulated to redirect ALL traffic from the actual site to the phishing site. Since the actual site will now experience zero traffic, these compromises usually don't last any more then a few hours before being found and solved.


Now, SSL is of course a method of connecting to these addresses, usually after providing log-on credentials (IE, too late) however, DURING a VALID transaction with the ACTUAL site they are effective at preventing eavesdroppers from seeing the transferred information, such as Account numbers and pin numbers used during on-line bank account transfers.


standard "safe surfing" and ant-virus software prevents the infection of a machine with a client side DNS compromise, and being paranoid over a server-side DNS spoof is ridiculous, because not only is it short lived, but the illegitimate server is often overloaded with connection attempts and usually ends up crashing, which is actually how most of these end up being discovered, not only because the real site is getting no traffic (whereas it would usually get over a million hits and hour) but because those attempting to connect are getting network timeout errors.

[Geek-9pm]

a Server based DNS compromise would involve the actual DNS server machine being infected. It could thus be manipulated to redirect ALL traffic from the actual site to the phishing site. Since the actual site will now experience zero traffic, these compromises usually don't last any more then a few hours before being found and solved.

Yes, Yes, that is right on. That is what the major DNS attack is. Now we are on the same page!

And yes, SSL is vbery important. Doing a fake SSL is very, very hard.

Because the major DNS attacks it has to be so clever and only last a short time, some have felt it is not a serious matter.The cure for the major DNS attack is to use certified software on the DNS serve assigned by your ISP. If you ISP does not what to bother with this annoying detail, because they have other things to do, you can find certified DNS and put the IP in your router and then you don't have that special problem. However, you need permission from the DNS owner to do that, unless he indicates that it is OK for a small business or and individual to do that.  There are firms that make it there business to have reliable and safe DNS and they charge a modest fee to the commercial customers who prefer high quality DNS. These companies may also provide blocking of sites that are know to be hostile. Or block some sites for your company to prevent employees from wasting time on non-business matters.

The Major DNS problem exists only because some ISP people just did not want to pay anything to update their outdated server software. The point I want to make is people are complacent if the think a threat is small. Think of a spacecraft that lost a few ceramic tiles. Just a few tiles. Fix it later.

Now then, getting back to the main point of the thread.
No, you do not have to be paranoidd. You can surf the net safely.  Let your common sense not be based on the unproven claims . Find out that anti-virus and firewalls do not mean you"have nothing to worry about". You still need to worry, if worry will help you be careful about giving out any information that would be harmful to you if it got to the wrong kind of people. I mean organized crime and those firms that are on the very edge of the law.

For example, no anti-virus or spy ware will EEVER tell you the the "Video Pro so-and-so" has a horrible record of bleeding credit card accounts for services customers no longer want. You have to hope that your credit card company will help you if you have trouble with that particular firm. The fact the 90 per cent of his customers are happy is of little comfort to the 10% who got ripped-off with charges every month for bad service. The guy is a leach. That fact that his sucks blood from a small number of clients does not make him less a leach. The same can be said for the TV Infomercials you see Sunday mornings.

And Back accounts. Yes the connection is very, very secure. But, if anything goes wrong, it is always your fault. The bank will not give you a break. The insurance they carry only protects you if the back burns down. I do not recommend on-line banking at all. The problem is that some on-line companies want you to use the back account for direct transfer. Only, and ONLY do that if the firm really is a company that you really do know and trust. Avoid business with anybody who will not let you pay with a credit card or a third part firm that will handle the credit card transaction. Again, that is not AV, or SSL issue.

And by the way here we use use Avast! Works great! But I still worry.

Do not ever give your password to a request from anybody. Even if the President of the USA sends you an e-mail requesting your password in the interest of national security you should ignore it. Just say you never got the e-mail because your e-mail program now has a new BS filter.

My rant started because somebody expressed the idea security was about e the best AV and knowing how to spot malware. Security is about protection of your privacy, your reputation, your livelihood, your children and the things you believe in.

[BC_Programmer]

For example, no anti-virus or spy ware will EEVER tell you the the "Video Pro so-and-so" has a horrible record of bleeding credit card accounts for services customers no longer want. You have to hope that your credit card company will help you if you have trouble with that particular firm. The fact the 90 per cent of his customers are happy is of little comfort to the 10% who got ripped-off with charges every month for bad service. The guy is a leach. That fact that his sucks blood from a small number of clients does not make him less a leach. The same can be said for the TV Infomercials you see Sunday mornings.

And Back accounts. Yes the connection is very, very secure. But, if anything goes wrong, it is always your fault. The bank will not give you a break. The insurance they carry only protects you if the back burns down. I do not recommend on-line banking at all. The problem is that some on-line companies want you to use the back account for direct transfer. Only, and ONLY do that if the firm really is a company that you really do know and trust. Avoid business with anybody who will not let you pay with a credit card or a third part firm that will handle the credit card transaction. Again, that is not AV, or SSL issue.

And by the way here we use use Avast! Works great! But I still worry.

Do not ever give your password to a request from anybody. Even if the President of the USA sends you an e-mail requesting your password in the interest of national security you should ignore it. Just say you never got the e-mail because your e-mail program now has a new BS filter.

All of this falls under the "safe surfing" category.



I don't have Anti-virus. I run a malware scan MAYBE once a week, and I do online banking all the time. I don't worry. Why? because if I ever get a trojan, It's gone within a hour. This eliminates a client-side compromise via keylogger/cookie fetcher.

As far as a server side compromise. I waive it as a non-issue. It's a giant waste of my time to even think about it, since it isn't even really feasible to scrape anything more then a few passwords that will subsequently be changed when the compromised site(s) alert their users (and/or clear the password salts).

And if it ever was a issue, set up a configuration using multiple Domain Name Server addresses, for example, three different ones (such as two ISP and one OpenDNS), and provide an alert of they resolve to different IP addresses for the same name.


As a final note, it would be most unproductive to compromise an ISP's DNS, since they usually serve a local area. (and usually just delegate the task of determining the IP address of a site to a "higher-level" Domain Name Server). The ones best targeted are the highest-level Root-Name Servers, which would be even more unfeasible by hackers since they are closely monitored and connected via strict security.

 even if they are successful in redirecting most, if not all, of the traffic from the legitimate site to the phishing one, There's no way for an attacker to spoof the SSL identity of the authentic server without stealing that server's secret key which corresponds to the public key contained within the server's PKI certificate as issued by a Certificate Authority (CA) such as Verisign. It is generally believed that secret keys are hard to steal, and that keeping secret keys secret is easy, so nobody should be especially worried about a DNS hijacker and "bad data" in DNS as long as they always use SSL or similar encryption and authentication software and protocols to protect sensitive communications on the Internet.


Not to mishmash topics, but when you think about it, large scale DNS poisoning may be RIAA's next step against net neutrality...

[Vonique]

Wow, this is so technical, I can barely understand what either of you are saying (but it is still interesting to read). How about having a small checking account online, and putting the majority of my savings in a separate account that does not have an internet account? That way if I get hacked, I will only lose that small amount and I also get the benefit of not having to balance my checkbook every month since it will still be done online?

Thanks, Von

[Geek-9pm]

How about having a small checking account online, and putting the majority of my savings in a separate account that does not have an internet account? That way if I get hacked, I will only lose that small amount and I also get the benefit of not having to balance my checkbook every month since it will still be done online?

Excellent!
You must talk to your banker about this! Make sure that when the small account gets overdrawn, you do not have to pay more fees or fines.

Or open multiple accounts with different banks. One simple plan would be:
1. A large Savings account that draws interest. No one line connection. Deposits by mail or walk in. Transfers over the telephone using you PIN.
2. A checking account on-line banking. Modest balance.Overdraft protection.
3. Small account used only for on-line purchases. Make sure that any overdraft will not incur high fees. Some banks will charge you $25 a day for just one overdraft. Not all the worst crooks are in cyberspace!

As to the original question. It is not high technology that creates security. It undermines it, because it is new, unproven and few understand it.

[michaewlewis]

Let me stress again..... there really isn't much to worry about as long as your bank is using SSL for everything. Your information probably will not be intercepted enroute.
After it gets to your computer, it's a different story. Make sure you keep your sensitive data in an encrypted folder (Google: TrueCrypt) and use strong passwords for everything. And use common sense when surfing the web, which it sounds like you are already doing.

The people you mentioned that fell for the phishing scams, etc. were more than likely just very gullible and their low personal security was taken advantage of. Social engineering is the more prevalent hacking technique because it doesn't require much technical skill, and it isn't limited to computers. To be safe, don't trust anyone you meet on the internet and don't believe every email you get.

[Geek-9pm]

Social engineering is the more prevalent hacking technique because it doesn't require much technical skill, and it isn't limited to computers. To be safe, don't trust anyone you meet on the internet and don't believe every email you get.

Exactly Right! 

We had to change our phone number because of some creep one one of our children meet in a chat room!