Re: ~/.hosts patch

From: Tarc <tarc_at_tarc.po.cs.msu.su>
Date: Wed, 21 Jun 2006 12:53:46 +0400
On Wed, Jun 21, 2006 at 10:32:21AM +0200, Maxime Henrion wrote:
> Marcin Jessa wrote:
> > On Wed, 21 Jun 2006 07:31:23 +0000
> > John Birrell <jb_at_what-creek.com> wrote:
> > 
> > > On Wed, Jun 21, 2006 at 12:20:36AM -0700, Luigi Rizzo wrote:
> > > > On Wed, Jun 21, 2006 at 07:07:39AM +0000, John Birrell wrote:
> > > > > The fact that a lot of innocent (naive) people don't use https
> > > > > and certificates?!
> > > > 
> > > > and so they would happily click on
> > > > 
> > > > 	<a href="http://www.666.org/gimmeyourmoney">Secure Link to
> > > > Your Bank</a>
> > > > 
> > > > so we are not opening much in terms of security holes...
> > > 
> > > You are making it worse because you open a new security hole:
> > > 
> > > <a href="https://www.paypal.com/">www.paypal.com</a>
> > > 
> > > does not take them to the _REAL_ www.paypal.com.
> > > 
> > > This is not an issue about phishing where:
> > > 
> > > <a href="http://some.dynamic.ip.addr/">www.paypal.com</a>
> > > 
> > > makes it look like the link takes them to PayPal when it really
> > > doesn't.
> > > 
> > > Most banks still don't use certificates even though they use HTTP.
> > > 
> > > We need to retain the integrity of a DNS lookup. If there are any work
> > > arounds required for poor DNS lookups, then let an administrator
> > > configure them!
> > 
> > Just add a global switch to enable/disable using of the ~/.hosts file
> > to i.e /etc/login.conf.
> > I personally find this feature very handy, especially on a desktop
> > with restricted access to the system. 
> 
> Better yet; the original author is currently working on making this a
> separate nss module.  It can then be enabled/disabled at will through
> the nsswitch.conf file.
> 
> I can understand the security concerns people have expressed in this
> thread, but once this functionality is available as a nss module they
> don't hold anymore.  As far as I can see, noone intends to have this
> enabled by default, and it's not even clear it should be in the base.
> Having a nss_userfiles port or whatever is probably enough.
> 
> Cheers,
> Maxime
Yes, but the global capability must be there. Or you can say, how enable this ability (if it'll be nss port) only for several users/groups ?!!

-- 
   Best regards,
   	Arseny Nasokin
Received on Wed Jun 21 2006 - 06:49:49 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC