Re: ~/.hosts patch

Hi, Harti,

在 2006-06-21三的 08:31 +0200,Harti Brandt写道:
On Wed, 21 Jun 2006, Xin LI wrote:
[snip]
XL>successfully exploit the ~/.hosts to get privilege escalation and/or
XL>information disclosure or something else, which could not happen without
XL>~/.hosts?

Wouldn't this enable the same kind of phishing attacks there are under
windows? As far as I remember there are attacks where the hosts file
(don't remember how its called under windows) is rewriten by a virus/java
script/whatever to contain a different IP address for a given hostname?
Suppose someone fakes the website of www.foobank.com, then manages to
insert www.foobank.com with the wrong IP address into ~/.hosts?

Well, if the user would not see a HTTPS certificate before entering his
or her password, then it would be highly possible that the user would
run under the "root" credential, where /etc/hosts can also be altered.

But instead of getting this into a bikeshed, let's see the way we are
seeking to make it (to add the functionality as a NSS module). I think
a NSS module would provide the functionality yet allowing anyone to
choose whether to enable or disable it :-)

Cheers,
--
Xin LI <delphij delphij net> http://www.delphij.net/

Attachment: signature.asc
Description: =?UTF-8?Q?=E8=BF=99=E6=98=AF=E4=BF=A1=E4=BB=B6=E7=9A=84=E6=95=B0?= =?UTF-8?Q?=E5=AD=97=E7=AD=BE=E5=90=8D=E9=83=A8=E5=88=86?=