Remember the earlier discussion of the DNS bug? If the internet is the post office, the DNS is the collection of all of the addresses on all of the envelopes traveling around the system. It is secure, inherently. But caching is used as part of the system to make it more efficient, and the caches are NOT secure. So, this would be like an evil genius making the local postal deliver person always see the Evil Genius Address whenever s/he is about to deliver a check, and NEVER seeing it when s/he is about to deliver a bill. So the checks all go to the evil genius and the bills never do. Or something along those lines.
Dan Kaminsky, the guy who figured this out, now claims that things are worse than thought.
Others are saying it is hype.
So now we have this:
Ken Silva, chief technology officer at Verisign, said: "We have anticipated these flaws in DNS for many years and we have basically engineered around them."
He believed there had been "some hype" around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained.
Mr Silva said he was concerned that people would read too much into the doom and gloom headlines that have surrounded the discovery of the DNS flaw.
"It's been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site.
VS comments by Dan Kaminsky, who
... said fixes for the flaw in the net's Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways.
"Every network is at risk," he said. "That's what this flaw has shown."
The DNS acts as the internet's address books and helps computers translate the website names people prefer (such as bbc.co.uk) into the numbers computers use (22.214.171.124).
Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website.
In his talk Mr Kaminsky detailed 15 other ways for the flaw to be exploited.
Via the flaw hi-tech criminals or pranksters could target FTP services, mail servers, spam filters, Telnet and the Secure Socket Layer (SSL) that helps to make web-based transactions more secure.
"There are a ton of different paths that lead to doom," he said.
If people can be redirected by a hacked DNS server, I presume this could be bypassed by simply typing in the IP address for your commonly visited sites or web merchants? It would only work if they have static IPs, but most internet businesses won't be using dynamic IP addresses will they?
Also, many users browse via proxy servers, with the https links to ecommerce sites in proxy exceptions list. These should be IP only if used.