Home > Security > Why So Serious

Why So Serious

Slides. Summary:

DNS servers had a core bug, that allows arbitrary cache poisoning

The bug works even when the host is behind a firewall

There are enough variants of the bug that we needed a stopgap before working on something more complete

Industry rallied pretty ridiculously to do something about this, with hundreds of milllions protected

DNS clients are at risk, in certain circumstances

We are entering (or, perhaps, holding back a little longer) a third age of security research, where all networked apps are “fair game”

Autoupdate in particular is a mess, broken by design (except for Microsoft)

SSL is not the panacea it would seem to be

In fact, SSL certs are themselves dependent on DNS

DNS bugs ended up creating something of a “skeleton key” across almost all major websites, despite independent implementations

Internal networks are not at all safe, both from the effects of Java, and from the fact that internal routing could be influenced by external activity

The whole concept of the fully internal network may be broken – there are just so many business relationships – and, between IPsec not triggering and SSL not being cert-validated, these relationships may not be secure

We’re not even populating CDN’s securely!

Animation soon.

Categories: Security
  1. August 6, 2008 at 1:59 pm

    Thanks for getting this out so quickly for those of us not at the conference! Can’t wait for the video.

  2. August 6, 2008 at 3:19 pm


  3. curtis c
    August 6, 2008 at 4:02 pm

    your link to “check dns” at doxdns1.com does not work.

  4. SO
    August 6, 2008 at 5:22 pm

    You say “Autoupdate” is a mess, excepting Microsoft. Debian based distributions use signing keys for software repos, regardless of DNS failure you won’t accidentally install from a spoofed site.

  5. Susan Johnson
    August 6, 2008 at 6:17 pm

    Mr. Kaminsky

    How do I ? but make sure the ports listed below aren’t following an obvious pattern (:1001, :1002, :1003, or :30000, :30020, :30100…).

    Yours Truly SJ.

  6. August 7, 2008 at 4:22 am

    […] The whole concept of the fully internal network may be broken – there are just so many business relationships […]

    I really loved this comment. We have found out that people have a misconception that their network looks like this:


    while reality can be for example like this:


    Gazillion protocols and traffic flows traveling in and out from network that is considered to be separated from the Internet. We should move from the nineteens to this century and accept that information will alway flow from A to B if there is a business need for it.

  7. Viktor Baluch
    August 8, 2008 at 5:49 am

    You can still setup a software repo that delivers old buggy software.

  8. August 10, 2008 at 12:16 am

    Hi Dan,

    the presentation is not available, i’m not able to download.

  9. MisterSSL
    August 16, 2008 at 7:07 pm

    I wish the slides from BH’08 were available in a non-proprietary file format. html or even plain text would be a good start.

  10. July 18, 2009 at 1:47 am

    Nice…………….Its very innovative as well as informative,Thanks for sharing the useful information for us.keep post continue and stay tune with us.:)

  1. August 6, 2008 at 1:46 pm
  2. August 7, 2008 at 12:06 am
  3. August 7, 2008 at 12:07 am
  4. August 7, 2008 at 5:28 am
  5. August 7, 2008 at 9:26 am
  6. August 7, 2008 at 7:37 pm
  7. August 8, 2008 at 12:53 pm
  8. August 9, 2008 at 4:43 am
  9. August 9, 2008 at 8:24 am
  10. August 11, 2008 at 2:35 pm
  11. August 15, 2008 at 8:29 pm
  12. August 19, 2008 at 1:18 am
  13. August 27, 2008 at 11:45 pm
  14. March 12, 2009 at 11:34 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: