The Daily Bash
Ben Scott
dragonhawk at gmail.com
Sat Jan 21 16:05:01 EST 2006
On 1/20/06, Bill McGonigle <bill at bfccomputing.com> wrote:
> http://rebar.one.microsoft.com/
>
> * funny if you don't have any rules to trust .microsoft.com. for
> software updates or anything like that.
In the spirit of anti-FUD[1], I feel compelled to point out that
Microsoft's various "Update" systems all use public-key crypto and an
internal, Microsoft-originated CA root, so that's not too likely.
Also, that Microsoft is a *huge* organization, with hundreds if not
thousands of subdomains. Just because you or I don't have a massive
DNS infrastructure, don't assume Microsoft does not. The idea that
one CNAME got overlooked is hardly surprising.
On the other hand, if you use Windows[2], *and* Internet
Explorer[3], *and* have it set to blindly install unsigned ActiveX
software from *.microsoft.com [4], you are opening yourself up to an
attack[5].
Blindly trusting the information ordinary DNS gives is never a good
idea[6]. That's why we have crypto, after all.[8]
Footnotes
---------
[1] I generally destest FUD, regardless of source or target.
[2] Not the best of ideas, but sadly often necessary
[3] Also not the best of ideas, but sadly also sometimes necessary
[4] Moronic that Microsoft even has a feature to automatically install
software without any idea of where it came from; if you enable it, you
deserve what you get.
[5] However remote -- or not -- the possibility may be.
[6] I say "ordinary DNS" because there are extensions for crypto[7].
[7] They have failed to gain widespread usage, though.
[8] I like footnotes.
More information about the gnhlug-discuss
mailing list