Slashdot Mirror

← Back to Stories (view on slashdot.org)

DNS Flaw Hits More Than Just the Web

Posted by timothy on from the gee-dan-thanks-thanks-a-bunch dept.

gringer writes "Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated. Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype. For more information, see Kaminsky's power point presentation." Update: 08/07 19:48 GMT by T : There's also an animation of the progress of the patch.

17 of 215 comments (clear)

  1. SSH and SSL protected by Anonymous Coward · · Score: 5, Informative

    SSH will raise the key changed warning if you've connected before.

    SSL will raise a certificate error unless they have some way of getting a fake cert.

    1. Re:SSH and SSL protected by brunascle · · Score: 5, Informative

      which is why browsers come with the CAs' public keys cached.

    2. Re:SSH and SSL protected by Brian+Gordon · · Score: 5, Interesting

      You'd need a root cert, not just control of the domain. You wouldn't even be able to revoke certs.

    3. Re:SSH and SSL protected by nonpareility · · Score: 5, Insightful

      What's to stop somebody from hijacking the bank website, redirecting to a website that uses no SSL at all, and waiting for the passwords to roll in?

      If you normally access your bank's website by way of https, you wouldn't get redirected because the hijacked website's certificate wouldn't be valid. Other than that, you're just describing phishing.

  2. Shocked!!! by YouOverThere · · Score: 5, Insightful

    You mean all the services that use DNS are at risk?!?!?!
    Say it isn't so...!
    Here all this time I thought the Internet WAS the Web...

  3. wow by mevets · · Score: 5, Funny

    its almost like every service that uses hostnames might be affected.

  4. To everyone on 216.34.181.45 by HungryHobo · · Score: 5, Funny

    And they called me a fool when I refused to learn website names WHO'S LAUGHING NOW!!

  5. Litmus testing by Just+Some+Guy · · Score: 5, Insightful

    If you are reading this on Slashdot, and you are just now realizing that DNS exploits affect more than just the web, then get the hell out of here. Shoo. Leave your card at the door.

    --
    Dewey, what part of this looks like authorities should be involved?
    1. Re:Litmus testing by DrEldarion · · Score: 5, Funny

      Wait, we need to know tech to be here? I thought we just had to be libertarian and anti-copyright.

    2. Re:Litmus testing by Rob+Kaper · · Score: 5, Insightful

      Sorry Kirk, we can't win this battle. Back in the day only professionals, nerds and skilled technicians visited Slashdot. These days the site (for monetary reasons, I'm sure) has to cater to a much larger audience and we have to accept that we, the low-digit-UID crowd, are no longer representative for Slashdot.

      The only problem is, our chances are not much better anywhere else. I miss the days when the Internet consisted mostly of early adopters. (Then again, we need the masses because they make it feasible to have actually useful things like Internet banking and on-line pizza orders.)

    3. Re:Litmus testing by Anonymous Coward · · Score: 5, Funny

      I doubt that the union of "people who think the web is the Internet" and "people who discover Slashdot and stick around" is more than a handful.

      Actually, I imagine the union would be enormous. Perhaps you meant the intersection?

    4. Re:Litmus testing by Just+Some+Guy · · Score: 5, Funny

      Nah. Those are just the requirements for upmodding. You can still hang around otherwise, but we might not talk to you.

      --
      Dewey, what part of this looks like authorities should be involved?
    5. Re:Litmus testing by caferace · · Score: 5, Insightful
      "If you are reading this on Slashdot..."

      Good point. How do we know this really is Slashdot?

  6. Surprised? by LaminatorX · · Score: 5, Funny

    This is why I've maintained a comprehensive /etc/hosts file since 1996. Every now and then it gets to be a bit large, so I periodically print it out and cache it to a shelf full of 3-ring binders.

  7. Bittorrent? Not really. by 42forty-two42 · · Score: 5, Informative

    Virtually all bittorrent clients support a distributed hash table, and inter-client peer exchange protocol, which means that as long as you have the .torrent metafile you can bootstrap yourself into the torrent (neither DHT nor peer exchange uses DNS at all in fact, except perhaps when the client is first installed to bootstrap). The only impact would be on obtaining said .torrent file, which is explicitly out of bittorrent's problem domain.

  8. Gopher by dj245 · · Score: 5, Funny

    The three of us who still use Gopher are scared to death!

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  9. Weakness of "domain control only validated" certs by Animats · · Score: 5, Interesting

    Kaminsky makes a point about how this bug can be used to spoof Certification Authorities who issue SSL certificates. For the cheap "domain control only validated" certificates, ownership of the domain is validated by sending an e-mail to the domain. If you can spoof DNS from the viewpoint of a CA, you can buy a valid SSL cert for a domain you don't own. Now you can spoof some banking site, and the spoofed site will properly display an SSL cert.

    He also makes the point that DNS cache poisoning can be used to fake MX records in DNS, which will result in e-mail being diverted to the attacker, who can then look at it. If the attacker creates a high-priority MX record, they can read the mail, then disconnect without acknowledging receipt. The originating mailer will then resend to the next-priority MX record, the real one. So the mail reaches its destination without anything in the headers to indicate it was snooped.