Mark Gritter (markgritter) wrote,
Mark Gritter
markgritter

Seriously?

What sort of lame decisionmaking process at Sun arrived at a conclusion that the best way to "protect" against DNS spoofing was to keep successful lookups cached for the duration of the process?

http://www.rgagnon.com/javadetails/java-0445.html

The java.security file says "Setting [networkaddress.cache.ttl] to anything other than the default value can have serious security implications. Do not set it unless you are sure you are not exposed to DNS spoofing attack." Because if your process *is* subject to a DNS spoofing attack, the best thing to do is to keep the injected answer around for the lifetime of the process. Right.

I'm trying to reconstruct the thinking here. Maybe somebody reasoned that if you send N requests the attacker succeeds with probability 1-(1-p)^N, while if you send just one request the attacker succeeds with probability p. But if the attacker's value derives from how many connection attempts are made to his spoofed address, then the EV is identical either way.
Tags: dns, programming, security
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 1 comment