X

What The New York Times left out, about the DNS flaw

Practical advice for the DNS flaw is here, rather than in the New York Times.

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

Disclosure.

Michael Horowitz
3 min read

The front page of the New York Times today had a story by John Markoff, With Security at Risk, a Push to Patch the Web, about the recent bug in DNS. Being a newspaper, the focus of the story was on news rather than practical advice. In contrast, this Defensive Computing blog focuses on practical advice.

For another introduction to the problem see What you need to know about the latest DNS flaw.

For an online test that tells you if your computer is vulnerable to the DNS flaw see The best test for vulnerability to the DNS flaw. The fact that there are online vulnerability tests wasn't even mentioned in the newspaper.

If your computer is vulnerable to the problem, see A cheatsheet for defending against the DNS flaw.

Markoff warned about the potential danger of the DNS flaw with:

"It could allow a criminal to redirect Web traffic secretly, so that a person typing a bank's actual Web address would be sent to an impostor site set up to steal the user's name and password. The user might have no clue about the misdirection... "

Firefox 3 users have a much better chance of being informed about misdirections as a result of the DNS flaw - if, they are willing to tweak the browser a bit.

In Firefox 3 gotcha: No more yellow address bars, I wrote about how to restore the yellow address bar to indicate a secure web page. This was a feature in Firefox 2 that got dropped in version 3.

If you prefer to think of green as good and yellow as a warning, then you can read Make Firefox 3 use green for secure web pages where I explain how to change the secure page color in the address bar from yellow to green.

Even further information about secure web pages is available with another Firefox 3 configuration change. See Firefox 3: Expand the Site Identification button on HTTPS pages to learn how to enable a feature that displays the secure website name in a blue button right next to the address bar.

The end results is an address bar that looks like the below for secure web pages. If this is how secure web pages display, it makes it much harder for the bad guys to fool you by mis-directing you to a scam copy of a website.

A secure web page displayed with Firefox 3

Below is the same web page displayed in Internet Explorer 7. Something such as the missing "S" in the protocol name, which flags a secure web page, can be easily missed.

A secure web page displayed with Internet Explorer 7

Update July 31:The above screen shot from Internet Explorer 7 is from an instance with the phishing filter turned off. When this filter is turned on, IE7 works much like the tweaked copy of Firefox 3, that is, the address bar turns green and there is an extra button on the right with additional information about the secure page.

See a summary of all my Defensive Computing postings.