Date: Wed, 9 Jul 2008 21:59:33 -0700 (PDT) From: Jason Stone <freebsd-security@dfmm.org> To: Chris Palmer <chris@noncombatant.org> Cc: Mark Boolootian <booloo@ucsc.edu>, freebsd-security@freebsd.org Subject: Re: BIND update? Message-ID: <alpine.BSF.1.00.0807092136120.34772@treehorn.dfmm.org> In-Reply-To: <20080710002749.GK55473@noncombatant.org> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709182340.GD55473@noncombatant.org> <4875481E.4000100@kernel32.de> <20080709235204.GB72293@root.ucsc.edu> <20080710002749.GK55473@noncombatant.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> Everyone that uses the Internet depends on the security of DNS. > That's too bad, because DNS never made any security guarantees. When you > ask to resolve www.google.com, the answer does not mean "www.google.com > is on the network at 74.125.19.104." It means "As far as we can tell at > the moment, www.google.com might be on the network at 74.125.19.104, or > that might be a total lie. Good luck! P.S.: Lying is very easy." > > There are no guarantees of authentication, authorization, or integrity. Yes, yes, DNS makes no security guarantees, it's always been vulnerable, this is old old news. But answer truthfully: have you never launched a browser and typed "www.google.com" into it? I suspect that you have. So this affects you too. So you say, "But I don't send important information over that connection, nor do I trust the information I get back?" Maybe. I think that the AOL data leak fiasco proved that, while people don't generally think of search queries as sensitive, they really kind of are. And you almost certainly place _some_ trust in the results you get back; I mean, you're not reading them purely as fiction. But let's leave that aside for a second and assume it's true: you genuinely don't care about privacy or tampering while you're just casually surfing. That's not what's at issue; what's at issue is that you're choosing to let unknown and untrusted sites inject arbitrary data into your web browser. And your browser has more exploitable bugs in it than you can shake a stick at. It doesn't matter which browser you use -- IE, Firefox, Safari, Opera, Lynx, w3m -- I guarantee you, it has more holes than you can shake a stick at. You could run it in a chroot, or with a different UID from your normal user... but you don't. So, if your DNS resolver is vulnerable to cache poisoning, then every time you casually surf the web, you're allowing for the possibility that you will get spoofed, surf to some malware site, get served a browser exploit, and get 0wned. This is not just theoretical; check old CERT advisories, attackers have been exploiting DNS cache vulnerabilities in home/soho routers/WAPs/firewalls for a while now. So a DNS vulnerability that would make it easy to poison the resolvers of very large numbers of clients is a huge deal. I agree that DNSSEC is the real solution. I also think that making it easy (or even possible) to sandbox the browsers is a real solution. I think that using strong crypto everywhere and making fine-grained capabilities and MAC systems ubiquitous is also a real solution. But that's just not the reality we have today. And having the reality we have today, it's absolutely critical to make the existing, insecure DNS system as secure as it can be. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFIdZc1swXMWWtptckRAtFqAKCA++pDoal7FEr13hXIWJ9h+iYA2gCfTVyQ 5AXA7BRSqX0ToHayLgGB0PA= =c7gM -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.1.00.0807092136120.34772>