Full Stack for Front End Engineers Cache Poisoning
This course has been updated! We now recommend you take the Full Stack for Front-End Engineers, v2 course.
Transcript from the "Cache Poisoning" Lesson
>> Jem: What's a potential security hole with DNS? We mentioned before that you can take a bunch of sites offline if you have only had one DNS provider. What's something else that's pretty dangerous that can happen? I know it's in the slides, so. But, just don't jump ahead. What do you guys think?
[00:00:21] Nobody? So let's, lets say you copied my site completely, you copied jemyoung.com. Now this part where it says, buy my book, I don't own a book. But it says buy my book, insert your credit information. Let's say someone copied my site entirely, how would they know they're at the right site?
[00:00:39] Well, you could use something called DNS cache poisoning. So, if I somehow poison all this cache that we talked about earlier, to say that jemyoung.com isn't 188.8.131.52, it's actually this other IP address. And you go there and it looks just like my site. And your browser doesn't know because in the browser it says jemyoung.com, right?
[00:01:01] So, DNS pass voice is a real thing. One way to solve that is through HTTPS, so that just says it's a handshake between the browser and the server, and the DNS provider says, I am where I say I am. But in the early days of internet, this was so malicious.
[00:01:19] You can go to google.com and you're typing in you're logged in and you think your on google.com but you're actually not. You're on a completely different server in China or something like that. So this is a whole, this actually gets brought up probably once a year, someones DNS gets attacked and the cache gets reset and pointing to the malicious websites, which is why companies like Chrome and Firefox are so insistent on HTTPS.
[00:01:45] HTTPS, again, is just it's a handshake that says you are where you say you are. But this is something to be very wary of, DNS cache poisoning, so.
>> Speaker 2: Sorry, Jem, are you gonna actually talk about HTTPS?
>> Jem: If we have time at the end of the day, I would love to get everybody set up on HTTPS.
[00:02:02] But that's, it's a bit more involved, there's still, there are companies like less encryptors. It's fantastic. I use them for my own site, but it's pretty advanced to get that set up, but I'll talk about it a little bit later and hopefully we have time at the end of the day.
[00:02:17] We'll get everybody a nice screen lock icon. Pretty fun.