DNS Flaw Underscores Danger of Taking Web Security for Granted

August 7, 2008 – 5:52 AM

Perhaps more than any other flaw in the last several years, the DNS protocol vulnerability discovered by security researcher Dan Kaminsky has shown that the circle of trust on the Internet can be broken more easily than we feared.

After listening to Kaminsky’s talk Aug. 6 at the Black Hat conference here, it is clear the flaw extends far beyond DNS cache poisoning. As he explained later, it is a game of dominoes—one domino could be re-directing Web traffic to malicious sites, the next could be interception of sensitive corporate email. The possibilities are numerous and problematic.

“I spent the last month terrified of large companies having all their email stolen because of a bug that I found,” Kaminsky, director of penetration testing at IOActive, told a group of journalists after his session.

Vendors worked together to coordinate a release of a patch last month. If the figures offered by Kaminsky are any indication, the number of companies now protected is significant.

But fundamentally, the flaw means the level of security we have traditionally taken for granted on the Internet may not always be there. It is possible for an attacker to be the man-in-the-middle. In total, there are 15 ways of running the attack that Kaminsky and others admitted knowing about, but the researcher added there were likely others as well.


You must be logged in to post a comment.