Last night, BBC radio started reporting a big security flaw in “the internet’s addressing system”. While maddeningly unspecific (they didn’t even mention DNS), it sounds a lot like DNS hijacking.
So what’s new? We’ve known about DNS hijacking since … before the dear old Beeb ever discovered the ‘net. That’s why, for example, secure sites install SSL certificates from ‘trusted’ authorities, and SSL clients such as web browsers issue dire warnings where certificates fail to match. Hah! The irony of trusting VeriSpam above DodgySnakeOil-Inc, but that’s another rant …
This morning there’s enough information to google, including a CERT note Multiple DNS implementations vulnerable to cache poisoning. Right, it’s about implementations, not the system itself. The Beeb’s report is, as suspected, sensationalist crap. CERT gives just enough information:
- to set any self-respecting blackhat who cares on the trail of unpatched systems
- to tell me I don’t have anything to update.
My server isn’t vulnerable, and if my ADSL router is at risk then there’s nothing I can do. As a user, I just continue to take exactly the same precautions as before: use PGP (preferred) or ‘trusted’ SSL to protect anything sensitive I disclose.
As it happens, I use Dan Bernstein’s djbdns for precisely this reason: I believe DJB’s claims that it’s more secure than bind with its long and troubled history. What’s new is not an underlying problem, it’s merely an attack vector. Looks to me like another vindication of DJB, who just wrote software that was naturally secure, years ago. It’s even questionable whether the vector is new: DJB seems to have spelled out something remarkably similar in 2001, and there’s ample evidence of his having pointed this out many times.