From: "Thomas Wisniewski"<thomas.wisniewski@prudential.com>
To: java-security@web2.javasoft.com
Message-Id: <85256487.00666AED.00@njros1ngw04.metro.prudential.com>
Date: Mon, 28 Apr 1997 14:39:10 -0400
Subject: DNS Spoofing and Java
--0__=fqZkcbJ6r2t4kBpvwEz3V5ZRkMYLjnck8PF52Gl2XQIF3Zyv4SKyCmHd
Content-type: text/plain; charset=US-ASCII
Can you guys please comment on my note below. Thanks, Tom.
---------------------- Forwarded by Thomas Wisniewski/PSC/Pru on 04/28/97
02:35 PM ---------------------------
Thomas Wisniewski Friday April 25, 1997 12:17 PM
Corporate Information Technology (201) 716-4616 Fax Number: Fax
Number: (201) 716-8271
(Embedded image moved to file: PIC07313.PCX)
To: moreinfo @ netscape.com
sip @ cs.princeton.edu
felton @ cs.princeton.edu
Steve @ AZTech.Net
cc:
Subject: DNS Spoofing and Java
Hi, I wanted to run a scenario by you guys related to DNS spoofing and
Java.
I've been looking at the issue of using applets through firewalls. The
issues are documented by Netscape in the following URL
http://home.netscape.com/newsref/std/java_security_faq.html and stem from
the fix of the DNS spoofing problems posted by the Princeton SIP group at
http://www.cs.princeton.edu/sip/news/dns-spoof.html. The main premise of
this note is based on the fact that someone's DNS server can provide
different ip addresses at different times. I.e., the DNS for hacker.com
will sometimes return a true IP address for www.hacker.com and other times
it will return a spoofed IP address.
In your (Netscape's) page mentioned above you make a statement "To prevent
such attacks, which could bypass your firewall, Navigator 2.01 and 2.02
look up the IP address for each site they process, and refuse to listen to
(possibly false) updates to that address. The Navigator rewrites all
connections to use the spelling of the IP address and avoid any confusion
(misdirection by an attacker's false advertising)." I'm running Navigator
3.0 and don't believe this statement is still true.
Is it supposed to be true? I believe the answer is yes. If not why not?
I believe that Navigator does NOT rewrite all connections to use the
spelling of the IP address, particularly when the applet uses successive
http requests. Instead, after the applet security manager does the DNS
lookup/verification of where the applet wants to connect to and confirms
the ip addresses match, it then passes the DNS name as part of the http
request; i.e., it does not rewrite the DNS name with an IP address. I've
had this happen while running behind a firewall and accessing external
sites as well as without a firewall.
I think this scenario poses 2 problems. One that I have seen for myself and
one that I have not tried to implement.
First (running behind a FW/Proxy Server without DNS)
You say a potential work around for users behind a firewall (using a proxy
server) is to propagate DNS information across the firewall. This means
that my client machine either has access to a DNS with external names in it
or that I use a HOSTS file on my machine. If I use this work around (I used
a HOSTS file), the applet security manager can verify the host where the
applet came from against one of these DNS resolution mechanisms. However,
even if this check is validated, the DNS name is sent to my proxy server
(not the IP address). This means that the proxy server must again determine
the IP address of the DNS name. This is where the DNS lookup could spoof an
internal address and hence connect my request to an internal machine via
the proxy server.
Second (not using a FW) -- much harder to do.
I don't know how an applet determines which IP address it connected to.
However, it appears that it does NOT get this information from the TCP/IP
connection that actually got the first applet class. Rather it appears that
it does a DNS lookup to determine this at some later point in time. What is
this lookup is spoofed. So an applet comes from the correct host but then
when it checks where it came from and when it checks any secondary
connection that the applet wants to make, the DNS lies about its IP address
and points to a user's internal IP address.
It seems that one of the main problems is that when a proxy server is used,
the client machine does not really have any way knowing where it came from
based on the exact IP address of the applet download. Instead a further DNS
check needs to be done. Is there any way to propagate the IP address of
where an applet comes from the proxy server. Unfortunately I don't think
there is -- not sure how to make this secure??
Lastly, why does I.E. 3.0 work without a security violation when using a
proxy server to get an applet outside of a FW? Does I.E. not do the DNS to
IP Address resolution and check that it needs to to solve the problem
mentioned by the Princeton group. To see what I mean, just try to go to
http://java.sun.com:81. Navigator will get a security exception, I.E.
won't??
Thanks for your time. I appreciate any thoughs.
Tom.
--0__=fqZkcbJ6r2t4kBpvwEz3V5ZRkMYLjnck8PF52Gl2XQIF3Zyv4SKyCmHd
Content-type: application/octet-stream;
name="PIC07313.PCX"
Content-transfer-encoding: base64
CgUBCAAAAADCAQ8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAABwwEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAP/wf/B/8H/wf/B/8H5QfSB8QHxw/ED8IPD/8L/QsPwwsPwwsPwwsPwwsP
wwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPCw8LD8MLDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPC8MPCw8LDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvD
DwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwv/D+EP0Q/ID8QPwg8PD+ULD8cLD8MLD8MLD8ML
D8MLD8MLDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPC8MPC8MPC8MPC8MPC8cPC9cPzA/G
D8MPDw//C/8L2AsPxwsPwwsPwwsPwwsPwwsPwwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwvDDwvDDwvDDwvDDwvDDwvHDwv/D+4P1w/MD8YPww8PD8cLD8cLD8cLD8MLD8MLD8MLD8ML
D8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLDwsPCw/DCw8LDwsPwwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwvDDwsPCw8Lww8LDwsPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MP
C8MPC8MPC8cPC8cPC8gPxA/CDw8P/wv5Cw/HCw/HCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/D
Cw/DCw/DCw/DCw/DCw/DCw/DCw/DCw8LDwsPwwsPCw8LD8MLDwsPCw8LDwsPCw8LDwvDDwsPCw8L
ww8LDwsPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8cP
C8cPC8cPC/sP3Q/PD8cPxA/CDw/hCw/HCw/HCw/DCw/DCw/DCw8LDwsPwwsPCw8LD8MLDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
C8MPCw8LDwvDDwsPCw8Lww8Lww8Lxw8Lxw8L1Q/LD8UPww8PD/8L/wvUCw/HCw/HCw/DCw/DCw/D
Cw8LDwsPwwsPCw8LD8MLDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8Lww8LDwsPC8MPCw8LDwvDDwvDDwvDDwvHDwvHDwv/D+wP
1g/LD8YPww8PD8sLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8ML
D8MLD8MLD8MLD8MLD8MLDwsPCw/DCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8Lww8LDwsPC8MPC8MPC8MP
C8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8MPC8cPC8YPww/C
Dw//C/0LD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8MLD8ML
D8MLD8MLD8MLDwsPCw/DCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwvDDwsPCw8Lww8Lww8Lww8Lww8L
ww8Lww8Lww8Lww8Lww8Lww8Lww8Lww8Lww8Lww8Lww8Lww8Lww8Lww8Lww8Lww8L/w/hD9EPyA/E
D8IPDw/lCw/HCw/DCw/DCw/DCw/DCw/DCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwvD
DwvDDwvDDwvDDwvHDwvXD8wPxg/DDw8P/wv/C9gLD8cLD8MLD8MLD8MLD8MLD8MLDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8Lww8Lww8Lww8Lww8Lww8Lxw8L/w/uD9cPzA/GD8MPDw/H
Cw/HCw/HCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw/DCw8L
DwsPwwsPCw8LD8MLDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8Lww8LDwsPC8MPCw8LDwvDDwvDDwvDDwvDDwvDDwvDDwvD
DwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvHDwvHDwvID8QPwg8PD/8L+QsPxwsPxwsPwwsPwwsP
wwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPwwsPCw8LD8MLDwsPCw/DCw8L
DwsPCw8LDwsPCw8Lww8LDwsPC8MPCw8LDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvDDwvD
DwvDDwvDDwvDDwvDDwvDDwvHDwvHDwvHDwv7D90Pzw/HD8QPwg8P4QsPxwsPxwsPwwsPwwsPwwsP
Cw8LD8MLDwsPCw/DCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8L
DwsPCw8LDwsPCw8LDwsPCw8LDwvDDwsPCw8Lww8LDwsPC8MPC8MPC8cPC8cPC9UPyw/FD8MPDw//
C/8L1AsPxwsPxwsPwwsPwwsPwwsPCw8LD8MLDwsPCw/DCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsP
Cw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPCw8LDwsPC8MPCw8LDwvDDwsPCw8L
ww8Lww8Lww8Lxw8Lxw8L/w/sD9YPyw/GD8MPDwwAAACAAAAAgACAgAAAAICAAIAAgICAgIDAwMD/
AAAA/wD//wAAAP//AP8A//////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
--0__=fqZkcbJ6r2t4kBpvwEz3V5ZRkMYLjnck8PF52Gl2XQIF3Zyv4SKyCmHd--