Can you 'fake' an IP address?

[Robert Brockway]

On Tue, 13 Mar 2012, Alejandro Imass wrote:

>> Spoofing can be generally defeated by appropriately strong cryptographic
>> signing of data (at L3, L4 or even higher).
>>
>
> Not at all. 99.999999% of users are so stupid they will type or click
> YES _every single time_. I conducted a private study in a high-profile

I said nothing about users :)  The cryptographic signing I'm talking about 
is handled entirely transparently to the user (eg IPSec, or SSH host key 
auth or some application level auth that never gives the user an option to 
override).  The key here is whether the client and server trust each 
other, not what the user may or may not trust.

> govt / police scenario. And ALL the users clicked YES to my spoofed
> Ethercap HTTPS certs. The certs look identical and users assume it's
> some network glitch. They are so used to proxy configuration errors
> and bad internal IT service that they just assume it's a technical
> problem.

As a separate topic, yes this is a huge issue.  I always try to discourage 
people from accepting untrusted certs blindly.  It's a losing battle.

And the CAs themselves have shown themselves to be vulnerable in various 
ways.

I always ask people why they trust CAs :)

Cheers,

Rob

-- 
Email: robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org		Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.practicalsysadmin.com
Director, Software in the Public Interest (http://spi-inc.org/)
Free & Open Source: The revolution that quietly changed the world
"One ought not to believe anything, save that which can be proven by nature and the force of reason" -- Frederick II (26 December 1194 – 13 December 1250)