2
1
Are DynDNS providers like noip.com absolutely safe to use?
I mean now they just have an A Record which is e.g. my Home's IP, but they could change that and set the A Record to their own server and thus would be able to receive all the requests which should go to my Home's IP.
Is that right?
user302241
Posted 2014-02-21T23:55:19.593
Reputation: 33
1
Yes, that's 100% true, but if you think about it, your Internet service provider (ISP) could redirect the requests to another server as well. Even if your website had a certificate that is accepted by a certificate authority (CA), the CA could, in conjunction with your Internet service provider, dynamic DNS provider, or if you had a static IP, regular DNS provider could redirect the requests to another server and the certificate could be accepted for the other server.
Unfortunately, that's the way the Internet and the Web work. In your computer is a list of sources to accept certificates from, and depending on where your computer's operating system comes from, the list is provided and can be changed at any time by the vendor (Microsoft, Apple, etc.)
If you trust them and the CA, ISP, and DNS provider, you're fine. And it's very rare for any issues relating to this to happen, but they have happened before. https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google
Sorry if you're disappointed in the answer... But that's how things work online.
Phoenix Logan
Posted 2014-02-21T23:55:19.593
Reputation: 1 307
I appreciate this is old, and closed, but this is lacking critical information about what a cert and the SSH server signature are there to protect against! Referring to TLS, the role of a CA is to authenticate that you are who you say you are, therefore no sane CA should issue a cert for your domain to the ISP. If the ISP illegally apply for one using your details, then yes, that's possible. What's not (pracitcally) possible is someone spoofing the SSH server signature, which is why SSH clients tend to refuse a connection if the server key doesn't match one previously stored. [continued] – Samuel Harmer – 2018-01-03T10:24:28.900
Therefore if you use SSH and the server key has changed, you know you're not connected to YOUR server, but one in between. This doesn't stop the ISP or whoever eavesdropping on your encrypted SSH communication, but so long as your SSH server is using a suitably difficult to crack key then it would take them too long for it to be worth them bothering to try decrypting your SSH traffic. Also see https://superuser.com/q/151471/96867.
– Samuel Harmer – 2018-01-03T10:26:08.643OK. Let's say I SSH or do a request over HTTPS to the DynDNS Server (which let's say (illegaly) changed the A Record from my Home's IP to their own IP) would they be able to see the password transferred with SSH / the POST data transferred via a POST against a HTTPS URL? – user302241 – 2014-02-22T00:23:23.857
Unfortunately, yes, and even if the requests are automated, they can program the server to log the passwords, which allows them to view them later. However, this is an extremely insecure practice when it comes to storing passwords and it's just as vulnerable as storing the passwords for logins in plain text. They may just program the server to log the password of a specific user, however... – Phoenix Logan – 2014-02-22T00:31:33.267
It may be worth looking into things like remote.it that purport to provide a "private internet". Disclosure - I haven't tried them or anything like it (nor ddns). But I'm inclined to try this for my home IoT hub. – jinglesthula – 2019-12-14T00:20:49.590
Technically it is right. There should be legal agreement between you and provider which somehow must regulate what provider can and can not do. Why do you think this will happen? – VL-80 – 2014-02-22T00:03:50.710
It seems like a question about what they technically could do, not what they're allowed to do by law. It is a valid concern. – Phoenix Logan – 2014-02-22T01:06:57.973