Why So Serious
Slides. Summary:
• DNS servers had a core bug, that allows arbitrary cache poisoning
– The bug works even when the host is behind a firewall
– There are enough variants of the bug that we needed a stopgap before working on something more complete
• Industry rallied pretty ridiculously to do something about this, with hundreds of milllions protected
• DNS clients are at risk, in certain circumstances
• We are entering (or, perhaps, holding back a little longer) a third age of security research, where all networked apps are “fair game”
– Autoupdate in particular is a mess, broken by design (except for Microsoft)
• SSL is not the panacea it would seem to be
– In fact, SSL certs are themselves dependent on DNS
• DNS bugs ended up creating something of a “skeleton key” across almost all major websites, despite independent implementations
• Internal networks are not at all safe, both from the effects of Java, and from the fact that internal routing could be influenced by external activity
– The whole concept of the fully internal network may be broken – there are just so many business relationships – and, between IPsec not triggering and SSL not being cert-validated, these relationships may not be secure
– We’re not even populating CDN’s securely!
Animation soon.
Dan Kaminsky's Blog 
Thanks for getting this out so quickly for those of us not at the conference! Can’t wait for the video.
thanks
your link to “check dns” at doxdns1.com does not work.
You say “Autoupdate” is a mess, excepting Microsoft. Debian based distributions use signing keys for software repos, regardless of DNS failure you won’t accidentally install from a spoofed site.
Mr. Kaminsky
How do I ? but make sure the ports listed below aren’t following an obvious pattern (:1001, :1002, :1003, or :30000, :30020, :30100…).
Yours Truly SJ.
[…] The whole concept of the fully internal network may be broken – there are just so many business relationships […]
I really loved this comment. We have found out that people have a misconception that their network looks like this:
https://www.clarifiednetworks.com/Castle
while reality can be for example like this:
https://www.clarifiednetworks.com/IMS_Complexity
Gazillion protocols and traffic flows traveling in and out from network that is considered to be separated from the Internet. We should move from the nineteens to this century and accept that information will alway flow from A to B if there is a business need for it.
You can still setup a software repo that delivers old buggy software.
Hi Dan,
the presentation is not available, i’m not able to download.
I wish the slides from BH’08 were available in a non-proprietary file format. html or even plain text would be a good start.
Nice…………….Its very innovative as well as informative,Thanks for sharing the useful information for us.keep post continue and stay tune with us.:)