Then you're not using the telnet protocol. Telnet does a certain amount of negotiation at connection to pass through environment variables and the like to the server. Most clients automatically skip this if the server port is not 23.
https/ssh/etc require that you have a trustworthy translation from name to ipaddress. A corrupt ISP defeats it.
Not true. The reverse proxy would need a private key certified by a trusted CA in the name of the server.
If we assume (big assumption...) that the root CAs trusted by the browser never make a mistake, then there isn't any practical way for the proxy to impersonate the server and get away with it.
X509 protects you from corrupt ISPs meddling with DNS, as long as the trusted third parties (the CAs) are truly trustworthy.
Akamai charge for their distribution servers around the Net. If they were to use torrents, those distribution servers would become the seeds and Akamai would still be able to charge a small fortune for them.
Randomize server selection on queries
As a security improvement to make forgery a little more difficult, BIND 9.6 now attempts to make the order of the server selection for queries less predictable. Previously, BIND would prefer to query the server with the lowest round trip time (RTT). Now servers that haven't been tried yet have their RTT set to a random value between 0 ms and 7 ms. And the RTT values of servers which have been tried are now randomly changed up to 128 ms.
This algorithm also applies to DNS servers specified with the "forwarders" clause. A local bind installation with the ISP's and Google's DNS servers configured as forwarders would do what you want. The OS and applications would then be configured to use the local DNS server.
Is there a future in preventing abuse by blocking IP addresses? In IPv6, each end user might have control over 2^64 IP addresses. Blocking individual addresses won't scale, and blocking entire/64s will risk the same affect of blocking innocent bystanders. I can't see how sites like Wikipedia and the RBLs will be able to scale their blacklists to these numbers of addresses cost effectively.
Qtel force all web traffic through a proxy server in order to block access to certain sites. All Qtel web traffic is seen to come from the IP address of the proxy server. This is completely different to NAT.
http://www.state.gov/g/drl/rls/hrrpt/2007/100604.htm
Slashdot Mirror
Is this the "military-grade security and government control" that prevents classified material being leaked to Wikileaks so effectively?
You have 18 quintillion addresses to hide in. How much uncertainty do you need?
Then you're not using the telnet protocol. Telnet does a certain amount of negotiation at connection to pass through environment variables and the like to the server. Most clients automatically skip this if the server port is not 23.
https/ssh/etc require that you have a trustworthy translation from name to ipaddress. A corrupt ISP defeats it.
Not true. The reverse proxy would need a private key certified by a trusted CA in the name of the server. If we assume (big assumption...) that the root CAs trusted by the browser never make a mistake, then there isn't any practical way for the proxy to impersonate the server and get away with it. X509 protects you from corrupt ISPs meddling with DNS, as long as the trusted third parties (the CAs) are truly trustworthy.
My apologies, I just couldn't resist.
... but it could be nice to have anything usefull among those hacks, don't you think ?
Like a spell checker?
Akamai charge for their distribution servers around the Net. If they were to use torrents, those distribution servers would become the seeds and Akamai would still be able to charge a small fortune for them.
This algorithm also applies to DNS servers specified with the "forwarders" clause. A local bind installation with the ISP's and Google's DNS servers configured as forwarders would do what you want. The OS and applications would then be configured to use the local DNS server.
Is there a future in preventing abuse by blocking IP addresses? In IPv6, each end user might have control over 2^64 IP addresses. Blocking individual addresses won't scale, and blocking entire /64s will risk the same affect of blocking innocent bystanders. I can't see how sites like Wikipedia and the RBLs will be able to scale their blacklists to these numbers of addresses cost effectively.
Qtel force all web traffic through a proxy server in order to block access to certain sites. All Qtel web traffic is seen to come from the IP address of the proxy server. This is completely different to NAT. http://www.state.gov/g/drl/rls/hrrpt/2007/100604.htm