Very nice summary of the “How” part of my talk here.
I do think “Why does DNS matter this much?” is a more important question. It’s 2008 — why can I still not email securely between companies? It’s a little sad that such a simple and basic bug can:
1) Break past most username/password prompts on websites, no matter how the site is built.
2) Break the Certificate Authority system used by SSL, because Domain Validation sends an email and email is insecure.
3) Expose the traffic of SSL VPNs, because heh, who needs to check certificates anyway
4) Force malicious automatic updates to be accepted
5) Cause millions of lines of totally unfuzzed network code to be exposed to attack
6) Leak TCP and UDP connectivity behind the firewall, to any website, in an attack we thought we already fixed twice now
7) Expose the traffic of tools that aren’t even pretending to be secure, because “it’s behind the firewall” or “protected by a split-tunneling IPsec VPN”.
It’s just DNS cache poisoning. Why does it get to do this much damage?
The whole “hostile vs. safe” network myth needs to die. Every network is hostile — the DNS bug just made true something that should already have been assumed, but wasn’t. And we need to get faster and better at fixing the infrastructure. Using things until the moment of catastrophic failure — be they bridges, DNS, or MD5 — is a problem, and we can do better.
FX of Phenoelit made an important point a while back — everything you can do with this DNS attack, you can do with SNMPv3. If you haven’t patched your routers — and that includes your internal routers, since Java’s giving UDP access out and you can thus issue SNMP queries with it (not their fault, the entire web security model collapses when DNS is broken and this is just yet another break) — you should probably do that too.
It’s going to be an interesting couple of months. We’re going to see a lot of blended/combination attacks, as attacks we thought were infeasible in the real world suddenly start proving themselves entirely viable (at least, given insecure infrastructure). The previously unfuzzed network clients are probably going to be particularly problematic — if you write a network app that is not a web browser, now is a good time to start feeding random (or even better, semi-random) data to it and switching the autoupdater to SSL. New attacks are already popping up, only a few days in. Ben Laurie just came out with a harrowing and beautiful advisory against some common OpenID deployments. I knew about the intersection of DNS and OpenID, and I knew about the intersection of DNS and Debian’s badly generated certs (a problem which, I’d like to point out, is much harder to patch due to our continuing lack of an effective certificate revocation infrastructure). But it took Ben Laurie to attack “Secure” OpenID providers using Debian Certs via DNS. Fantastic, excellent work.