Didn't want to clutter up the main thread, so moved my response here:

The operator or ISP can certainly man-in-the-middle your DNS queries (most of the time your using their DNS servers) and deliver whatever IP address they feel like for any name you request. Some do exactly that for non-existent domain names for instance instead of a NXDOMAIN record. There's a high level of trust you have to have in your DNS servers.

But with a secure site (https), there are a couple of mechanisms that should tip the user off if someone is trying to spoof a site, and also several layers of trust.

1. Your browser is going to check that the certificate matches the dns name of the server you are requesting a session with.

2. The browser is going to verify that the certificate is trusted by your browser (ie. is signed by one of the trusted CAs.) These Certificate Authorities are trusted to not sign fraudulent certificates, nor provide certificates to people who do not own those domains. (Once in a while this trust level breaks down, due to these CAs being hacked, and then the CAs certificate gets revoked.)

If those checks don't succeed, you should get a message from the browser that something is wrong with the certificate and if you continue, you're taking a risk.

There's really only a couple of ways that I'm aware of that a secure site can be successfully spoofed:

- A trusted CA is hacked into and a certificate signed for whichever domain name the attacker is trying to spoof and then this certificate is used in the attack.

- Somehow the attacker gets their own CA certificate into your trusted CA list on your computer/browser. This is how in corporate environments SSL sessions can be monitored by corporate proxies. If you own all the endpoints, you can install your own trusted CA certificates and the browser is quite happy with that.

Of course, if you are the US gov, and you have forced google.com to just hand over their SSL private keys, you can just decrypt any SSL sessions for which you have packet captures. (Also another tool that corporate IT security departments use to protect their own web servers; SSL decryption and inspection at wire speeds.)

I only wanted to say theres no privacy on internet as that is what i know or noobs can expect btw i dont know that lot and half of the post is missing maybe my feature phone word limit

Use disinformation to be more secure.

Use several proxies. You will lose speed but collected data will be inaccurate.

Err, see (EC)DHE and PFS aka "perfect forward secrecy" - it happens that google actually does use PFS
http://stackoverflow.com/questions/1...orward-secrecy

also:
:-D

And no, your company's security team implements true MITM on your gateway to do SSL inspection, which nevertheless usually needs you to accept resp install the company's own root cert to your list of trusted certs.

I'll look at that thanks!


That's what I meant, the company's CA cert is added to each workstations list of trusted certs. I am my company's security team so I have a fairly good understanding of how to do that part, maybe my communication skills are not quite up to par though!

DNSSEC is supposed to fix this.

(Damn but it's klunky writing text on a Jolla. Waiting for the Neo900 with bated breath).