secure DNS hosting?
Amos Shapira
amos.shapira at gmail.com
Thu Jan 28 22:07:18 IST 2010
On 29 January 2010 01:38, Ori Berger <linux-il at orib.net> wrote:
> Amos Shapira wrote:
>>
>> What are you refering to by "server certificates, client certificates,
>> RSA tokens etc"? Are you talking about DNS-SEC or just general web
>> server security practices?
>>
>
> General web server security practices; A server certificate tells the client
> that this server has been trusted by a known certificate authority to serve
> a specific domain. That's not perfect, as hackers have already demonstrated
> being able to get certificates for domains they do not own, and a specific
> certificate signing bug (since patched) allowed certificates for specially
> crafted domain names to pass as certificates for other domains.
>
> It does, however, make life harder for the hacker and works well against
> simple "man-in-the-middle" attack.
Thanks. I'm aware of all that.
>
> A client certificate proves to your server that the client posses a
> certificate, without sending it online. This provides some defense against a
> man-in-the-middle attack or keyboard logging/password sniffing -- but of
> course, not helpful if the client machine was compromised and rooted.
Aware of that too. We'll include client certificate as an
authentication option for our API servers at some stage.
>
> RSA tokens (I'm sure there are other manufacturers) are small devices,
> usually credit card sized, that display a password that keeps changing every
> minute. Identity is verified by the client having access to the up to date
> password at log-in times and when performing sensitive actions.
Also aware, not relevant in our case (we are aiming for self-service).
>
>> I'm at the "reading the brochure" stage and google'ing a bit about
>> them but one of the points I think I got through is that they have
>> their own servers and cooperation with major ISP's in many places
>> around the world in order to reduce the exposure to external DNS
>> vulnerabilities.
>>
>
> That sounds like good practice. Make sure that this is true regarding where
> your clients are located; e.g. they might have wonderful infrastructure in
> the US but not in Australia, or vice versa.
>
Our clients are global companies who's clients (and attackers) can
come from anywhere.
This last bit reminded me of another question, I'll post it on another thread.
Cheers,
--Amos
More information about the Linux-il
mailing list