![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Two weeks ago, it was revealed that there's a nasty flaw inherent in the design of the DNS protocol that underlies almost everything we do on the internet. The implication is that when you're doing your thing on the net, any given bad guy could make your computer go where he wants, instead of where you want, without you knowing about it.
The problem is so bad that the DNS and security experts who were made aware of this all agreed to keep the details quiet for 30 days, in hopes of giving network admins everywhere the chance to mitigate the problem before the bad guys figured out how to exploit it. Meanwhile, one of the recommended workarounds was to use OpenDNS servers if your ISP's servers are vulnerable.
Unfortunately, OpenDNS intercepts failed queries and tries to either correct them or direct them to a search. This breaks some things that rely on knowing whether a lookup actually fails.
Even more unfortunately, OpenDNS intercepts all lookups to www.google.com, and relays them through its own servers. (Apparently this is an attempt to work around some Google-Dell deal that wouldn't otherwise affect people not using Windows on recent Dell desktop computers. Everybody's trying to cash in on invalid web requests.)
So in order to avoid some random bad guys secretly changing where I go when I type something like, say, www.google.com, into my browser, I must use a service that definitely changes where I go when I type www.google.com into my browser. This does not make me feel warm and fuzzy.
Oh yeah, and two days ago the secret leaked early, and everyone now knows how to break unpatched DNS servers. (At least one major ISP I use still hasn't fixed their servers, and apparently many other big ones haven't either.) So, uh, when you go to your bank's website, be sure to click on that little lock icon and make sure the right name shows up before you login to your account.
The problem is so bad that the DNS and security experts who were made aware of this all agreed to keep the details quiet for 30 days, in hopes of giving network admins everywhere the chance to mitigate the problem before the bad guys figured out how to exploit it. Meanwhile, one of the recommended workarounds was to use OpenDNS servers if your ISP's servers are vulnerable.
Unfortunately, OpenDNS intercepts failed queries and tries to either correct them or direct them to a search. This breaks some things that rely on knowing whether a lookup actually fails.
Even more unfortunately, OpenDNS intercepts all lookups to www.google.com, and relays them through its own servers. (Apparently this is an attempt to work around some Google-Dell deal that wouldn't otherwise affect people not using Windows on recent Dell desktop computers. Everybody's trying to cash in on invalid web requests.)
So in order to avoid some random bad guys secretly changing where I go when I type something like, say, www.google.com, into my browser, I must use a service that definitely changes where I go when I type www.google.com into my browser. This does not make me feel warm and fuzzy.
Oh yeah, and two days ago the secret leaked early, and everyone now knows how to break unpatched DNS servers. (At least one major ISP I use still hasn't fixed their servers, and apparently many other big ones haven't either.) So, uh, when you go to your bank's website, be sure to click on that little lock icon and make sure the right name shows up before you login to your account.
frustrated
Bank website?
Re: Bank website?
Many, if not most, bank websites offer account login on the non-SSL homepage. This is a bad thing. (See this recent InformationWeek story for more web-banking badness.)
And most people don't really understand what the browser is saying in the popups -- especially in an age of Windows Vista asking you to approve everything you want to do. It's way too common and easy to click away a popup without really understanding it.