Thursday, July 10, 2008

All this DNS ...

I am taking a very brief break from my books to write a few thoughts about this entire DNS thing that everybody seems to be writing about. And reading all this, I can't help but feel like the only one in the room that doesn't understand the joke.

So Dan Kaminsky found a serious flaw in the implementation of the DNS protocol, apparently allowing DNS cache poisoning. This is good work.

I fail to understand the seriousness with which this bug is handled though. Anybody who uses the Internet has to assume that his gateway is owned. That is why we have SSL, that is why we have certificates, that is why SSH tells you when the host key changes. DNS can never be trusted - you always have to assume that your ISP's admin runs a broken filesharing server on the same box with BIND.

If it were legitimate to operate under the assumption that your gateway is not owned, you would not need SSH, or SSL. If I could operate under the assumption that my gateway wasn't owned, I could TELNET everywhere, and transmit my credit card details in the clear.

I am not saying that Dan's bug doesn't have utility for an attacker -- it's definitely more comfortable/less time consuming to do DNS poisoning than to own the gateway. But for the user, nothing changes, irrespective of whether the patch was applied or not. The basic assumption is always my gateway is controlled by my opponent.

I personally think we've seen much worse problems than this in living memory. I'd argue that the Debian Debacle was an order of magnitude (or two) worse, and I'd argue that OpenSSH bugs a few years back were worse.

So, let's calm down everybody. And I'd even argue that installing the patches is a lot less time-critical (for the user) than in most other scenarios. If you act under the assumption of "my gateway is owned", this should be no risk to you.

10 comments:

Pete Markowsky said...

Honestly I agree with you. I too, don't get the joke. Especially when talking about mobile users who join random networks all the time such as wireless hotspots etc. Where potentially you can't trust the gateway or the provided resolver.

Evan said...

1) Secure protocols aren't ubiquitous despite the fact that they "should" be.

2) The potential for massive DoS on just about every internet user is enormous, as well. DoS here, in the sense of "I can't read my e-mail." or "I can't trade my stocks."

Just because these problems are "solved" or are uninteresting doesn't mean it doesn't have direct impact on today's internet.

Granted, I don't know why the security community cares so much. But, I do think that the vendors did the right thing to massively coordinate simultaneous patches.

Soinull said...

I concur on a personal basis but from my perspective the issue has nothing to do with me. It has to do with protecting all of the sheep, err users, I'm responsible for protecting that don't understand SSL, SSH, etc. and never will because it's not something they care to understand. This is potentially a big deal from the standpoint that, assuming it is as Kaminsky claims, and the perps start using it they have a great vehicle for a new phishing variation. Yes, SSL can prevent this, but only if the user bothers to look. So the bot herders update their bots to mass poison caches with their fake e-bay site and suddenly they get a lot more success and I have to explain over and over to the sheep, err users. *shrug*

jimmy said...

Use case:
1. User enters www.internetbank.com in the browser

2. Poisoned DNS returns attacking server

3. User does unencrypted login to attacking server which proxies to the TLS-protected internet-bank

4. You have MITM without the user noticing, even though the bank doesn't allow non-TLS connections

When this is done to the resolvers at a large ISP, lots of customers will be affected (since they in general won't check to see if their login is encrypted, perhaps they checked that the first time they used the bank).

If a single gateway device is owned, only you are affected. That is a huge difference.

Jack said...

Yeah (using evan's first point as a jumping off place), secure protocols arent universal. Not everyone uses them. That doesn't change Halvar's point, which is that your default assumption is gateway compromise. The lack of secure protocols being used everywhere is a problem with or without the DNS issue. You had to encrypt and protect inside the border already. Just because people weren't doing so doesn't change that, IMO.

rwnin said...

imo, the big story here is the coordinated vendor response/patching...

Jimmy said...

Even tho this dns poisoning stuff kinda old ( I think we won't be suprised when kazencky or whoever expose "his great finidng") , I've been here long enough to know how many "opponents" using this attack, and not so many. Doing any kind of MITM attacks in real -not in theory- isn't just clicking on a button.

So who poisons the dns servers and why? Usually not fraudsters, but defacers, who badly want to "deface" a site or hackers who are willing to put a lot of effort to pwn someone's network.

And BTW f-ck security industry, ripe, isc, cert they deserve to get owned.

Mr C said...

hmm.. yup I do think your overlooking something. Well, obviously you understand all the technical whatnot but:

"The basic assumption is always my gateway is controlled by my opponent"

This isn't how people browse the net, they type www.mybank.com, and expect the web page returned to be the real one. That's what the fuss is all about. Non-techie's, businesses, not clever peeps like yourself.

Raf-EL said...

Hi Halvar!
I agree with you that it's a very nice bug and people just took it a little our of proportion. What I can understand is where they are coming from. Simple users don't even know what SSL is, they see the "Lock picture" on the bank's website and they feel safe. The media's point is that this can be used for stealing user accounts (replacing a login server for exmaple yahoo, gmail) infecting(like changing the dns of common software like winamp.com and implementing a server with a downloadable /winampsetup.exe...) or phishing a few million people with so little effort at one single point, is dangerous. Still, this doesn't interest or scare me at all. I will keep feeling that a good remote code execution in Internet Explorer is more dangerous :)

denis bider said...

I'm late to the party, sorry about that.

I strongly agree with Halvar - a sensible, security-aware person must assume that their gateway is owned, and we certainly need to have SSL everywhere.

Problem is - we don't! Most websites worldwide still operate on plaintext HTTP! Most people don't even use SSL for services that require login!

And then you have all those HTTP servers (no SSL) that serve pages which take in scripts from Google analytics, which scripts themselves are served from plain HTTP...

It's absolutely horrible, but I think we'll need to see actual attacks on larger scales before everyone figures out: "Gee, maybe we should redirect our incoming traffic to HTTPS... dontcha think?"