On Thu, Jul 17, 2008 at 9:31 AM, David Lum <[EMAIL PROTECTED]> wrote: > DNS flaws called overblown by researcher > http://security.blogs.techtarget.com/2008/07/14/dns-flaws-called-overblown-by-researcher/
(1) Paul Vixie, who understands DNS as well as anyone alive, has been given details of the exploit, and said that yes, it's the real thing. Personally, I trust him to understand DNS more than I trust the author of BinDiff to understand DNS. (2) All that blog author is saying (who *isn't* privy to the details of the exploit) is saying is that people in general already shouldn't trust DNS to be correct. Which is true. (3) The problem is, most people trust DNS *all* the time, and just about everyone does at least some of the time. I'm trusting DNS to help get this message I'm sending to this list. We trust www.microsoft.com to take us there. And if effective DNS hijacks are script-kiddie easy, then someone can hijack Amazon, eBay, or a bank, and the only thing users will get is a warning about the SSL certificate being from an untrusted certificate authority. Given that there are already a ton of such certificates in production use, and that most users will click buttons until "the website works again", I don't think that's much help. The blog author misses the practical impact this would have in the real world. (The one outside the computer room, with the blue ceiling and that one bright light way up high.) Here's some actual information from actual qualified people: "Ow My Toe" and "An Astonishing Collaboration", by Dan Kaminsky, DoxPara research (original publisher) http://www.doxpara.com/ "Not a Guessing Game", 14 July, by Paul Vixie http://www.circleid.com/posts/87143_dns_not_a_guessing_game/ CERT Vulnerability information http://www.kb.cert.org/vuls/id/800113 -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
