So my concern is only about sites that I visit?
If so, is my little local network safe?
T.I.A.
Fern
Originally posted by: Modelworks
For the concerned , here is the big deal.
Someone could go to a site like paypal. Save the site, using just cut and paste and screenshots. Then they create a new site using those materials. Re-direct your dns server to their new site and prompt for your login information. You then enter your information, just like you normally would, and you will not know you were just screwed until it is too late.
For now I would double click the padlock that appears with banking, credit, shopping, etc sites and make sure its a valid certificate. At least until everyone is sure all is okay. I would do that even if the test says the servers are okay, because there is a lot of conjecture going on right now about how to get around the latest patches.
Better safe than sorry and it only takes two secs.
This does not protect you on sites that do not use SSL for logins.
Sites like forums, online mail, etc or anything else that ask for info would still be vulnerable. But at least those will not cost you your money.
Originally posted by: spidey07
It's in the bottom right of your web browser, you can double click it to examine the certificate.
All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
Originally posted by: Modelworks
Originally posted by: spidey07
It's in the bottom right of your web browser, you can double click it to examine the certificate.
All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
The fact people are not aware of this, really concerns me. This could be much worse than I feared.
Originally posted by: Modelworks
Originally posted by: spidey07
It's in the bottom right of your web browser, you can double click it to examine the certificate.
All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
The fact people are not aware of this, really concerns me. This could be much worse than I feared.
Originally posted by: StarsFan4Life
Originally posted by: Modelworks
Originally posted by: spidey07
It's in the bottom right of your web browser, you can double click it to examine the certificate.
All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
The fact people are not aware of this, really concerns me. This could be much worse than I feared.
Try telling the everyday Joe how to do this. Hell, I don't even use them.
I think this DNS exploit is going to be big....
FREAKIN idiots for releasing the info too!
Originally posted by: Modelworks
Originally posted by: StarsFan4Life
Originally posted by: Modelworks
Originally posted by: spidey07
It's in the bottom right of your web browser, you can double click it to examine the certificate.
All browsers default behavior is to alert you if the certificate is no good but if you've changed that you should check every certificate.
The fact people are not aware of this, really concerns me. This could be much worse than I feared.
Try telling the everyday Joe how to do this. Hell, I don't even use them.
I think this DNS exploit is going to be big....
FREAKIN idiots for releasing the info too!
Okay , going to try to break it down a bit simpler.
Most banking sites, or sites that ask for info use encryption between your pc and their servers called SSL. That prevents someone from getting your password off a router between you and them.
The sites that use SSL have to get a certificate from one of the agencies in charge of licensing. The most popular one is verisign.
http://www.verisign.com/
They provide a certificate that your browser checks when you go to a site that uses SSL to make sure the site is who they say they are. The certificates are not impossible to fake, but it isn't likely. When you are on the login page, look for a yellow padlock on the browser in the bottom right corner. Double click is and it should read what site you are on and who issued the certificate. If it does not match the site, then I would not enter any information.
Some sites like, Windows live do not use SSL unless you click the advanced security option on the site. Other sites do not use SSL at all. If it is a banking site and it is not using SSL I would not bank online with them.
Originally posted by: spidey07
Modelworks - read my post up above. A LOT of banking/credit card/shopping sites the main page is not SSL and there is an area to enter your username/pass. Of course the username/pass is sent with SSL on the real site and the next page is SSL as well.
So all I gotta do is slap up a page identical to the banks, your browser will show http://www.usbank.com but your connected to my web server, not the banks. Then you enter your username/pass, now I has it.
There is no way to tell if the site is legit or not this way
Originally posted by: torpid
OK, I checked my iPhone with the OARC site and it is safe, but the one on Dan Kaminsky's site says it is not. What the???
Originally posted by: Modelworks
Originally posted by: torpid
OK, I checked my iPhone with the OARC site and it is safe, but the one on Dan Kaminsky's site says it is not. What the???
I got to go with Dan for now, since he is the one who came up with it.
Originally posted by: torpid
Originally posted by: Modelworks
Originally posted by: torpid
OK, I checked my iPhone with the OARC site and it is safe, but the one on Dan Kaminsky's site says it is not. What the???
I got to go with Dan for now, since he is the one who came up with it.
The confusing part is that dan's site claims it uses the same port, but the other site claims it is using a random port with good dispersal.
Originally posted by: aphex
I know this has probably been discussed at length somewhere before, and I've been curious about this in the past.
How do we know Open DNS is safe either? (Not necessarily just from this exploit, but in general as well)
Originally posted by: newb111
Originally posted by: OdiN
Oh damn!
So they could make something like paypal.com resolve to their own site which looks exactly like paypal.....and there goes your bank account.
Or skip the step and make bankofamerica.com go to their site
Originally posted by: spidey07
non-computer savvy people should not use any sites where they provide any information they don't want to fall into the wrong hands. Anything having to do with money, identity, shopping, etc. I told my girl, just don't do these things until it's settled.
Originally posted by: AccruedExpenditure
If you guys really think the big corps/targets like eBay/Paypal/Amazon haven't patched this up already you're mistaken
-AE
Originally posted by: AccruedExpenditure
If you guys really think the big corps/targets like eBay/Paypal/Amazon haven't patched this up already you're mistaken
-AE