DNS Flaw Hits More Than Just the Web

gringer writes "Dan Kaminsky presented at the Black Hat conference in Las Vegas on Wednesday, and said that the DNS vulnerability he discovered is much more dangerous than most have appreciated. Besides hijacking web browsers, hackers might attack email services and spam filters, FTP, Rsync, BitTorrent, Telnet, SSH, as well as SSL services. Ultimately it's not a question of which systems can be attacked by exploiting the flaw, but rather which ones cannot. Then again, it could just be hype. For more information, see Kaminsky's power point presentation." Update: 08/07 19:48 GMT by T : There's also an animation of the progress of the patch.

SSH and SSL protected

[Anonymous Coward]

SSH will raise the key changed warning if you've connected before.

SSL will raise a certificate error unless they have some way of getting a fake cert.

Re:SSH and SSL protected

[brunascle]

which is why browsers come with the CAs' public keys cached.

Re:SSH and SSL protected

[Anonymous Coward]

Uh, no.

SSL doesn't go check with the CA every time it encounters a certificate. Your browser has a built-in list of trusted CA keys.

So unless an attacker has access to the CA's private key, or has the ability to install their own key on your machine, SSL will raise an error.

Bittorrent? Not really.

[42forty-two42]

Virtually all bittorrent clients support a distributed hash table, and inter-client peer exchange protocol, which means that as long as you have the .torrent metafile you can bootstrap yourself into the torrent (neither DHT nor peer exchange uses DNS at all in fact, except perhaps when the client is first installed to bootstrap). The only impact would be on obtaining said .torrent file, which is explicitly out of bittorrent's problem domain.

Do I understand this right?

[flaming error]

Bad guy can force the name server to go run to the good guy and look something up It takes time to get the real request (with random number) to the good guy It takes more time to get the real response back from the good guy It takes no time for the bad guy to immediately follow up a request with a fake response Might have the wrong random number, but it'll definitely arrive first

So:
1) Bad guy pretends he's a desktop pc (Stub Resolver)
2) Bad guy as Stub Resolver asks some arbitrary name server for the target's address
2) Bad guy knows the name server will eventually ask the target
3) Bad guy spoofs the target and sends his own replies back to the name server
4) One of the bad guy's spoof replies happens to match the Transaction ID
6) Name server thinks the bad guy's reply cames from target
7) Name server thinks the target lives at the IP address in Bad Guy's spoofed reply

Plaintext version

[42forty-two42]

On google docs: http://docs.google.com/Presentation?id=dd9j7tj4_107hd7g9bfs [google.com]

How is worse?

[gmuslera]

What in changing the DNS were specifically tailored only for web browsers since the start?

Of course, the web browser for most is "internet", even when sometimes the urls arent exactly http:// or https://, but since the start the dns attack meant to go to the real whole internet (at least, the one accessed by name instead of plain IP).

Realizing that goes beyond http addressses dont make it more dangerous, just make it clear that is not bound to a particular protocol or client, changes the observer, not the problem itself.

Re:Verisign say it's hype - so they can profit

[Phroggy]

By the way, if anyone's looking for a cheaper SSL cert than Verisign, I've recently been going with RapidSSLOnline [rapidsslonline.com], which is a reseller for RapidSSL, also known as GeoTrust, which is accepted by all modern browsers (which does NOT include Netscape 4, or anything with a CA bundle stolen from Netscape 4).

As Kaminsky points out, they verify your identity by... relying on DNS. Specifically, they send e-mail to a common address at your domain (root@example.com, webmaster@example.com, etc.) or a contact address listed in whois (your choice). They also call you (at a phone number you provide) and record your voice, which doesn't really do anything except make it easier for the police to find you after you get caught, but if you're worried about that, you'll buy a pre-paid cell phone with cash. I noticed in the grocery store the other day that they're selling Visa gift cards, which you can buy with cash and then use as a debit card anywhere that takes Visa, without giving any ID to anyone.

Anyway, I'm not affiliated with RapidSSL/GeoTrust or RapidSSLOnline, but they're cheap and their certs work for me.

By the way, RapidSSL/GeoTrust also offers a FreeSSL cert which is valid for one month (and you get to skip the Visa gift card step, since you don't have to pay for it). Be aware that the FreeSSL cert is NOT valid for mail servers, although it works fine for HTTPS.

Re:To everyone on 216.34.181.45

[Furry Ice]

Interesting...if you go to http://216.34.181.45/ [216.34.181.45] you get a 301 redirect to slashdot.org, so using the IP directly doesn't help you, unless you make sure to send the Host header.

Re:Verisign say it's hype - so they can profit

[gnuman99]

It is very, very easy.

1. Go to any site that has the "domain control" "super-duper-express" certificates. Most do. For example, GoDaddy sells them for 19.95 a year if you want.

2. Redirect DNS so you get their mail

3. Create a new certificate for cheap

4. You have a verified-I-control-that-domain certificate that will not cause any problems on any browser.

You see, DNS is THE CENTRAL mechanism around which the entire internet works. Without reliable DNS, it all craps out, no matter what.