Wednesday, August 6, 2008

This should come as no surprise

[Um, apparently I saved a draft of this on August 6, but neglected to, erm, actually publish it. I'd like to say I was reasonably up-to-date on this one, but obviously I snoozed and I lost. Here it is anyway.]
It's now official: There's a hole in DNS.

After giving the major players a month's head start, Dan Kaminsky is going public with a major DNS exploit, just in time for the Black Hat security conference. Apparently, it only took half of that month for people to reverse-engineer the exploit, and there have already been reports of people using DNS poisoning to snag clicks and claim ad revenue from them. Considering the possibilties, that's relatively benign, but there's no guarantee that worse hasn't been done. And those who would know have various reasons for not telling.

Paul Vixie, for one, has gone on record repeatedly about DNS's weaknesses (see here, for example), so it should come as no surprise that he's not surprised: "Quite frankly, all the pieces of this have been staring us in the face for decades, and none of us saw it until Dan put it all together." I'd take that as more "We knew this would happen, we just weren't sure how." as opposed to "How could we have missed this?"

So one of the major pieces of net.infrastructure is vulnerable, and complex enough in its fully-operational glory that you wouldn't want to bet that we've heard the last of this. It's also fundamental enough that many of the standard security measures, like SSL for example, depend on it.

What now? Most likely tactical patches in the short term, and, with luck, a serious re-think about how to get to "DNS 2.0". My understanding is that the pieces of that are also already reasonably familiar, but not well deployed. Along the way, expect to see strong security mechanisms like keys and certificates take root in more places, though not necessarily all that visibly.

[DNS has had several security extensions added since this was written, and, empirically, DNS seems to work, but it's not clear to me exactly why.  In particular, is DNS fundamentally more secure, has the web at large come to rely less on its security, or some of both?  -- D.H. June 2015]

No comments: