Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Flaw Hits More Than Just the Web

Posted by timothy on from the gee-dan-thanks-thanks-a-bunch dept.

gringer writes "Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated. Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype. For more information, see Kaminsky's power point presentation." Update: 08/07 19:48 GMT by T : There's also an animation of the progress of the patch.

3 of 215 comments (clear)

  1. Re:SSH and SSL protected by Brian+Gordon · · Score: 5, Interesting

    You'd need a root cert, not just control of the domain. You wouldn't even be able to revoke certs.

  2. Wide open internet is doomed. by tjstork · · Score: 4, Interesting

    I RTFA. At this point, we're hanging all of our eggs into the encyrption basket. If someone proves P=NP and breaks SSL, the whole internet is hosed. Now again, why are we telling people that this stuff is safe, when -we- know that it is not?

    1. The internet will have to balkanized into those countries that have laws to go after hackers and those who do not.
    2. Consumers will eventually only choose content that is actually hosted by their ISPs because that will be the only content that is safe.
    3. ISPs will increasingly look to disallow traffic coming from "non-trusted" ISPs in order to protect themselves.

    --
    This is my sig.
  3. Weakness of "domain control only validated" certs by Animats · · Score: 5, Interesting

    Kaminsky makes a point about how this bug can be used to spoof Certification Authorities who issue SSL certificates. For the cheap "domain control only validated" certificates, ownership of the domain is validated by sending an e-mail to the domain. If you can spoof DNS from the viewpoint of a CA, you can buy a valid SSL cert for a domain you don't own. Now you can spoof some banking site, and the spoofed site will properly display an SSL cert.

    He also makes the point that DNS cache poisoning can be used to fake MX records in DNS, which will result in e-mail being diverted to the attacker, who can then look at it. If the attacker creates a high-priority MX record, they can read the mail, then disconnect without acknowledging receipt. The originating mailer will then resend to the next-priority MX record, the real one. So the mail reaches its destination without anything in the headers to indicate it was snooped.