DNS Flaw Causes Global Panic - What Now?
(Page 4 of 4 )
As promised, Dan Kaminsky detailed the DNS flaw at the Black Hat security conference on August 6. It was a standing room only event, so clearly the hype surrounding the issue was at its apex. Although coverage of the flaw has been intense, Kaminsky was able to provide a few new details in a fairly thorough slideshow. The bad news is that the DNS and the Internet's infrastructure remain fundamentally vulnerable. The good news is that the entire computer industry was able to collaborate and tackle the issue. Nearly half of all broadband subscribers are now protected.
A solution for this problem will not be easy to achieve. Kaminsky says the growth of dynamic, interactive media combines data from multiple, unsecured sources to each web page. This means that some minor content on a web page could make an entire site vulnerable. Indeed, because this flaw is within the underlying structure of the Internet, there are many ways a person's computer is vulnerable aside from cache poisoning: email services, spam filters, File Transfer Protocol (FTP), data transmission protocols like BitTorrent, Secure Socket Layer (SSL) which secures online financial transactions, and even automatic software upgrade services.
Upgrading to DNSSEC has been proposed, but it's unlikely to be fully deployed, at least for a while, even though it is a viable solution. Technological and political issues have slowed its implementation worldwide. DNSSEC, which has been in development for 11 years, mends the flaws in the original DNS protocol by using digital signatures to verify whether information is coming from an authentic source. Developers have recently resolved issues like its ability to scale the entire Internet and the fact that it revealed zone data. Doing so has led to its implementation on the .org TLD as well as several country-level domains.
The one major issue that hasn't been settled yet has to do with who should own the public root encryption keys associated with any domain name. However, many countries fear the consequences of ICANN having sole access to the keys and the U.S. government having de facto control of the Internet. The fact is that a solution is out there, and if the situation is as dire as Kaminsky says it is, it's imperative that we come together to make the Internet safer for everyone, before something really catastrophic happens.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |