Sensationalist Humbug

Jul 9

Posted by

Last night, BBC radio started reporting a big security flaw in “the internet’s addressing system”. While maddeningly unspecific (they didn’t even mention DNS), it sounds a lot like DNS hijacking.

So what’s new? We’ve known about DNS hijacking since … before the dear old Beeb ever discovered the ‘net. That’s why, for example, secure sites install SSL certificates from ‘trusted’ authorities, and SSL clients such as web browsers issue dire warnings where certificates fail to match. Hah! The irony of trusting VeriSpam above DodgySnakeOil-Inc, but that’s another rant …

This morning there’s enough information to google, including a CERT note Multiple DNS implementations vulnerable to cache poisoning. Right, it’s about implementations, not the system itself. The Beeb’s report is, as suspected, sensationalist crap. CERT gives just enough information:

  • to set any self-respecting blackhat who cares on the trail of unpatched systems
  • to tell me I don’t have anything to update.

My server isn’t vulnerable, and if my ADSL router is at risk then there’s nothing I can do. As a user, I just continue to take exactly the same precautions as before: use PGP (preferred) or ‘trusted’ SSL to protect anything sensitive I disclose.

As it happens, I use Dan Bernstein’s djbdns for precisely this reason: I believe DJB’s claims that it’s more secure than bind with its long and troubled history. What’s new is not an underlying problem, it’s merely an attack vector. Looks to me like another vindication of DJB, who just wrote software that was naturally secure, years ago. It’s even questionable whether the vector is new: DJB seems to have spelled out something remarkably similar in 2001, and there’s ample evidence of his having pointed this out many times.

Posted on July 9, 2008, in bbc, internet, security. Bookmark the permalink. 3 Comments.

  1. Dan Kaminsky | July 9, 2008 at 11:53 am

    Yup. DJB is awesome. He was quite right, quite some time ago. Everyone should have done then what they are doing now.

    Well, they are doing it now. There’s a reason.

  2. niq | July 9, 2008 at 12:47 pm

    A little challenge to me here: is the above comment from the real Dan Kaminsky?

    The moral is, it really doesn’t matter to me, except insofar as I’m flattered if he’s graced my humble blog entry with his comment. Nothing critical hangs on whether it’s genuine or forged. In either case, having the link to his site is entirely appropriate here.

  3. Tim | July 10, 2008 at 9:59 am

    Am I right in thinking some of this dates back to legacy days of `query-source address * port 53′ and all that, just because “sysadmins” couldn’t be bothered understanding firewalls properly 10-15yr ago?

Leave a comment