Sunday, July 13, 2008

Hey all,

> Supplemental note to Halvar & everybody else who has said, in effect, "this
> is why SSL was invented" -- there's more to internet security than the route
> from your computer to your online bank. Have you thought about what this
> bug implies for NTLM? Or every virgin OS installation on the planet? Or
> Google's entire business model?

just to clarify: I did not say this bug wasn't relevant, and I don't want my blog post to be construed
in that manner. What I did say was:

  1. The average user always has to assume that his GW is owned, hence nothing changes for him. Specifically: He does not need to worry more than usual. Check SSL certificates, check host fingerprints. Don't use plaintext protocols.
  2. For those providing DNS services, it is clearly preferrable to patch. A DNS system without trivial poisoning is preferrable to one with trivial poisoning.
  3. In living memory, we have survived repeated Bind remote exploits, SSH remote exploits, a good number of OpenSSL remote exploits etc. -- I argue that the following inequality holds:
  4. OpenSSL remote >= OpenSSH remote > Bind remote > easy DNS poisoning
  5. I argue this because the left-hand side usually implies the right-hand side given some time & creativity.
The net has survived much worse.

So I guess summary is: Good find, definitely useful for an attacker, but we have survived much worse without a need for the great-vendor-coordination jazz.

Cheers,
Halvar
PS: I am aware that my sangfroid could be likened to a russian roulette player, that after winning 4 games concludes: "This game clearly isn't dangerous."
PPS: It seems that we will find many more critical issues in DNS over the next weeks - it's the first time in years that a significant quantity of people look at the protocol / implementations.

2 comments:

Soinull said...

I agree the net will survive - this is just another bump. I do think this has 'potential' to be a real pain in the posterior however. It all depends on how easy the sploit is. If it is 'point and click' like claimed then the bots can cause a real mess in the infrastructure. I don't agree with your assumption that everyone considers their gateway owned. We do, but we're security geeks. The average Internet user, which far outnumbers us, don't have the faintest idea how the net really works, let alone assuming their gateway is owned - or even their personal cache. Old cache poisoning exploits were pretty difficult to pull off on anything besides a one-off scale. IF, big if mind you, this is as easy as claimed then it wouldn't surprise me that much to see some of the bot-herders try a widespread DNS poison to redirect ebay or paypal to their phishing sites. That kind of activity would make a mess that will take a bit to clean up. *shrug* We'll find out in a couple weeks but if the vendors were willing to do the mass coordination it makes it seem likely there was good enough reason to do so. In the end their efforts certainly can't hurt anything.

Steher said...

Halvar... did you just provide a partial order on the lattice of security threads? Damn math nerds. ;-)