FQDN needed by sasl_gss_client_step or gss_import_name?
David Lawler Christiansen (NT)
davidchr at windows.microsoft.com
Mon May 20 17:00:21 EDT 2002
> From: Steve Langasek [mailto:vorlon at dodds.net]
> Sent: Friday, May 17, 2002 7:32 AM
> To: Lawrence Greenfield
> Cc: Jacques A. Vidrine; Dave Snoopy; cyrussasl; krb5
> Subject: Re: FQDN needed by sasl_gss_client_step or gss_import_name?
[...]
> > Since DNS is an insecure mechanism (an attacker could substitute
> > "myevilmachine.cmu.edu" for "fred.ad.cmu.edu" in the DNS response)
> > this leads to a vulnerability. Microsoft Kerberos implementations
> > aren't subject to this attack.
>
> Hmm, I think Microsoft Kerberos implementations are just as
> vulnerable to DoS attacks in the DNS: all I have to do is
> interfere with forward lookups, and Microsoft clients can't
> find their servers any better than
> MIT clients can.
DoS isn't the issue. Spoofing is. Relying on DNS for name
canonicalization would enable an attacker to defeat mutual
authentication.
-----
This message or posting is provided "AS IS" with no warranties, and
confers no rights.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
I reside in Washington, USA, where Title 19 declares that sending me
Unsolicited Commercial Email can result in a $500 fine.
Harvesting of this address for purposes of bulk email (spam and UCE) is
expressly prohibited unless by my explicit prior request. I retaliate
viciously against spammers and spam sites.
More information about the Kerberos
mailing list