On Fri, 2008-07-25 at 13:32 -0500, Les Mikesell wrote:
Björn Persson wrote:
If you are really paranoid (or about to do large transactions on what you hope is your banking site), you could do a 'whois' lookup for the target domain to find their own name servers and send a query directly there for the target site.
Check that the domain name in the address bar is right, that you're using HTTPS, and that the bank's certificate has been verified correctly. Then you're safe, unless the attacker has *also* managed to trick one of the certification authorities into issuing a false certificate, or somehow sneaked a false CA certificate into your browser.
You aren't paranoid enough. What if the spoofer is also a system administrator at the bank with access to a copy of the real certificate that he installs on the machine he's tricked your dns into reaching - with the expected name that you'll still see.
Exactly.
I've made the decision to surf the Internet using only a sketch pad and sticks of medium charcoal for the next several months, until this is all resolved. Last time something like this happened my cousin caught a trojan that got into is toaster. It later grew and arm and stabbed him in the eye.
It was a big joke for a while (http://xkcd.com/293/) and eventually attained urban myth status. But all myths have their basis in reality and I was there for this one.
Remember, just because you're paranoid, doesn't mean your not in dire need if immediate assistance from a mental health professional.
[sheesh]
Andy