SSL vulnerable
> No way of knowing? Try SSL.
> If your bank is relying on DNS to prove their identity for online banking, then it's
> time to take your cash somewhere else.
Not quite, you need to think bigger.
SSL works by (and forgive me if I oversimplify):
1. Client sends server a list of crypto functions it supports
2. SSL server responds with its digital certificate and the strongest crypto function they have in common.
3. Client validates digital certificate against certificate authority
4. If client satisfied of authenticity, client generates a random number
5. Client encrypts random number (4) using public key inside certificate (2)
6. Client sends encrypted number to server (only server can decrypt)
The question that is really hard to answer is whether step 3 can be reliably done with a compromised DNS server. If they are spoofing the IP address for your banks website, are they able to create a fake certificate and spoof the IP address of the certificate authority?