An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
DNSCrypt v Trusteer
#37495 11/29/15 05:29 PM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
Wireless Security deals in part with DNSCrypt's functionality, but since I know that at least a few FTMers use Trusteer, I'll ask if its "man in the middle" protection duplicates it?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt v Trusteer
artie505 #37496 11/29/15 05:58 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
Two different technologies doing two different things.

DNSCrypt protects all communication with the DNS server by encrypting the requested URL and the resulting IP address and has no part in anything other than that.

Trusteer protects only the communication between you and a specific financial institution and has no part in the DNS process.

Last edited by joemikeb; 11/29/15 06:00 PM.

If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: DNSCrypt v Trusteer
joemikeb #37503 11/30/15 05:52 AM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
Thanks for the clarification.

Both Trusteer and the original DNSCrypt claim/ed to prevent "man in the middle" attacks, thus my confusion (but I just took a look, and DNSC no longer mentions those attacks).

Edit: Hmmm... Now I'm thinking that maybe both apps prevent MItM attacks, but DNSC covers a different middle than Trusteer? Like DNSC covers a wider, shorter middle, and Trusteer covers a narrower, longer one?

Last edited by artie505; 11/30/15 07:45 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt v Trusteer
artie505 #37505 11/30/15 03:43 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
To slightly paraphrase Sir Henry Higgins in My Fair Lady, "By george, I think he's got it!" smile

MiTM (Man in The Middle) is a generic term describing any exploit taking place between internet points A and B. DNSCrypt is very narrowly targeted on preventing MiTM attacks between your computer and a DNS server that has a DNSCrypt resolver while Trusteer Rapport is very narrowly targeted on preventing an MiTM attack between your computer and a specific financial institution.
  • DNSCrypt provides protection when obtaining an IP address so any connection using a URL can be made.
  • Trusteer Rapport protects the connection to your bank once it is established. (NOTE: Trusteer's protection is focused like a laser beam. Trusteer protection is purchased from IBM by the financial institution and each has its own specific (unique?) version of Trusteer. As far as I know that version supports only the one bank and cannot protect transactions with other banks or financial institutions. To the best of my knowledge, there is no provision to have multiple versions of Trusteer on the same computer.)
Since every internet connection using a URL requires making an DNS server enquiry DNSCrypt has a much broader effect than Trusteer Rapport, but IMHO each is equally valuable in their specific arena of operations.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: DNSCrypt v Trusteer
joemikeb #37530 12/01/15 07:26 AM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
Originally Posted By: joemikeb
DNSCrypt provides protection when obtaining an IP address so any connection using a URL can be made.

Trusteer Rapport protects the connection to your bank once it is established. (Emphasis added)

That sounds like DNSC is a necessary adjunct to TR to protect you from point A to B before TR protects you from B to C?

Originally Posted By: joemikeb
Trusteer's protection is focused like a laser beam. Trusteer protection is purchased from IBM by the financial institution and each has its own specific (unique?) version of Trusteer. As far as I know that version supports only the one bank and cannot protect transactions with other banks or financial institutions. To the best of my knowledge, there is no provision to have multiple versions of Trusteer on the same computer. (Emphasis added)

That all would be curiously limiting!(*)

This thread has now converged with
Originally Posted By: this one
Originally Posted By: joemikeb
Originally Posted By: artie505
(Some of Trusteer's functionality actually is [was, anyhow] available for non-client banks, but I was never certain of its precise nature or usefulness.)

That is interesting because as I understand it Trusteer Rapport is dependent on software running on both ends of the connection. Otherwise why would any bank pay for the service?
and I think the appropriate place to address the two is here. (I'll cross-reference.)

Note: I trashed Rapport months ago because it was slowing Safari 5.1.10 down to a crawl, and there's no longer a Snowy compatible version available, so I'm working from memory. Further, I don't deal with any of Rapport's client financial institutions, so that part of its functionality is outside of my experience.

Rapport offered to protect my connections to (non-client) Chase Bank, Vanguard, and PayPal, but NOT with all of its options; the available ones can be found with a bit of digging in its pref pane. ([Edited] I recall declining protection on eBay and, I think, all other https websites].)

When I got to the login pages for those sites I clicked on the Rapport icon and was offered some sort of password entry protection that I accepted.

My acceptance generated generic entries for the sites at the bottom of Rapport's ridiculously long (not to mention ridiculously long-loading) client list in its pref pane, and they also appeared as options under at least two of its pref items, one of which was password protection.

(*)Seemingly contrary to what you've said, though, I remember Rapport's pref pane offering many protections for (something like) "member institutions" (maybe even "all"), which, working blind, of course, I took to mean not just the particular one identified prior to download, but all those on the client list with which a user dealt. (If you've never been there, good luck in Rapport's pref pane; unless they've given it a serious workover, it's a nightmare!)

Edit: As I've intimated, it is not necessary to identify a client institution prior to downloading Rapport, so at least some non-member protection is impliedly available.

Last edited by artie505; 12/01/15 08:12 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt v Trusteer
artie505 #37534 12/01/15 01:14 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Establishing a secure connection requires a few things
1) some foundation of trust. Your computer's root security certificates try to provide that, so you know when you first connect to a site that it is in fact the site you are trying to connect to. Google "key-signing parties" for other better alternatives.
2) security of the platform on both ends (basically means that while the data is unprotected on your end or on their end, the system accessing the data isn't compromised)
3) strong cryptography armoring the data as it travels across untrusted networks

Unless the business you are trying to connect to has had their SSL certificate compromised, or your computer has had its system key store compromised, a DNS attack shouldn't go unnoticed. At the very least you should see a warning about the site's certificate not being verified. But this is just for data privacy. If you're worried about browsing history, bouncing off a full-on VPN is the only way to even get off to a good start.


I work for the Department of Redundancy Department

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.036s Queries: 26 (0.032s) Memory: 0.6021 MB (Peak: 0.6819 MB) Data Comp: Zlib Server Time: 2024-03-29 06:35:29 UTC
Valid HTML 5 and Valid CSS