Home > Security > Summaries

Summaries

Very nice summary of the “How” part of my talk here.

I do think “Why does DNS matter this much?” is a more important question.  It’s 2008 — why can I still not email securely between companies?  It’s a little sad that such a simple and basic bug can:

1) Break past most username/password prompts on websites, no matter how the site is built.
2) Break the Certificate Authority system used by SSL, because Domain Validation sends an email and email is insecure.
3) Expose the traffic of SSL VPNs, because heh, who needs to check certificates anyway
4) Force malicious automatic updates to be accepted
5) Cause millions of lines of totally unfuzzed network code to be exposed to attack
6) Leak TCP and UDP connectivity behind the firewall, to any website, in an attack we thought we already fixed twice now
7) Expose the traffic of tools that aren’t even pretending to be secure, because “it’s behind the firewall” or “protected by a split-tunneling IPsec VPN”.

It’s just DNS cache poisoning.  Why does it get to do this much damage? 

The whole “hostile vs. safe” network myth needs to die.  Every network is hostile — the DNS bug just made true something that should already have been assumed, but wasn’t.  And we need to get faster and better at fixing the infrastructure.  Using things until the moment of catastrophic failure — be they bridges, DNS, or MD5 — is a problem, and we can do better.

FX of Phenoelit made an important point a while back — everything you can do with this DNS attack, you can do with SNMPv3.  If you haven’t patched your routers — and that includes your internal routers, since Java’s giving UDP access out and you can thus issue SNMP queries with it (not their fault, the entire web security model collapses when DNS is broken and this is just yet another break) — you should probably do that too.

It’s going to be an interesting couple of months.  We’re going to see a lot of blended/combination attacks, as attacks we thought were infeasible in the real world suddenly start proving themselves entirely viable (at least, given insecure infrastructure).  The previously unfuzzed network clients are probably going to be particularly problematic — if you write a network app that is not a web browser, now is a good time to start feeding random (or even better, semi-random) data to it and switching the autoupdater to SSL.  New attacks are already popping up, only a few days in.  Ben Laurie just came out with a harrowing and beautiful advisory against some common OpenID deployments.  I knew about the intersection of DNS and OpenID, and I knew about the intersection of DNS and Debian’s badly generated certs (a problem which, I’d like to point out, is much harder to patch due to our continuing lack of an effective certificate revocation infrastructure).  But it took Ben Laurie to attack “Secure” OpenID providers using Debian Certs via DNS.  Fantastic, excellent work.

Categories: Security
  1. jo
    August 9, 2008 at 10:48 am

    I find it rather amusing that when I connect to this web page my Firefox browser puts up a button that tells me to “download missing plugin”

    I wonder where it will go if I click it and what it will actually fetch?

    Like I’d ever allow flash on my system in the first place. Or any form of “auto update”.
    But then some people actually allow Vista on the hardware. Its amazing really.

    If you want to do movies do mpeg1 or 2 or old style AVI with a known movie client – nothing else is remotely safe. And Microsoft is the reason so stop sucking up.

    Perhaps one day people will listen to what I tell them…but I doubt it.

  2. August 22, 2008 at 6:35 am

    This whole episode has been a fascinating study in what happens when a security vulnerability comes from a flawed protocol as opposed to faulty implementations. Congrats on handling it so well, Dan Kaminsky!

  1. August 17, 2008 at 12:00 am
  2. August 22, 2008 at 6:38 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: