Earlier this year, there was quite a bit of buzz regarding a fundamental flaw in the DNS protocol used to map domain names to IP addresses; essentially, there seemed to be an exploit allowing basically undetectable phishing scams by having the DNS server reroute a web page request to a forged site, at least as far as I understand it.
Now, I just read this article about the hack and Dan Kaminski, who discovered it. First of all, the whole thing just reads too much like a spy thriller – encrypted emails, secret meetings, code prefaces to telephone calls; passages like:
, basically insinuating the existence of years-old established secrecy protocols between DNS developers, I find are a bit hard to swallow, so if anyone could provide a more even-handed account of things, I’d be grateful.
However, that’s not my main issue; the article isn’t shy about estimating the possible damages had this flaw been exposed on a large scale. Figures like ‘billions of dollars’ and phrases like ‘collapse of Web-based commerce’ are flung about without a care, so there’s my main question – how serious was (is – if I understand the article correctly, the whole thing still is barely more than band-aided) this flaw? Give me a worst case scenario – evil cabal finds out about the hack before anybody else does, and does its worst, for profit or the sheer anarchist joy of fucking things up. Would a couple of people have ended up scammed out of their retirement savings, or would e-economy have tanked as a whole (well, more than it does now)?
As an added bonus, now that we’ve found one critical flaw at the core of the net, what’s the possibility of there being others? Are we building our brave new virtual world on sand?
Potentially it could be huge but the people who watch over such things are hip to the threat and watching for it. Unlikely someone would get far using it today unless they were extremely surreptitious so unlikely an anarchist could shut down the internet.
One thing this would allow for are “man-in-the-middle” attacks. Make a web page that looks identical to, say, Chase bank. Re-route all requests to Chase to your page. People have no clue they are on your server instead of Chase’s and enter their account information which you dutifully record. Then pass them along to Chase’s web site with an error message asking them to try again and they get into their real account thinking it was just a web glitch.
Voila! You now have account info and passwords on thousands of people. Plunder their accounts at your leisure.
Nasty stuff…
Well, Kaminsky did win an Pwnie for “Most Overhyped Bug.”
I’m with you on your suspicions regarding the hard-to-swallow factor. While DNS cache poisoning is possible, it’s pretty far down the list of ways people will Destroy e-commerce as we know it!!1onee!1 If you’re going to lose your bank account to a hacker it will be because that neat new freeware screen saver you found on the internet installed a keylogger/worm on your box or because you clicked a link in an email from your “bank.”**
Most financial institutions, online retailers, and ISPs proactively do things to prevent this sort of nonsense by using ssh/https/certs/port randomization/etc. Sure, with enough hardware and enough time, someone can always break something-- but I don’t think Kaminsky has glimpsed the end of e-commerce.
DNS poisoning exploits came into being shortly after DNS. Kaminsky found a new way to do it. Patches have been applied. Nothing to see here.
**Speaking of which, for verification purposes I’m going to need you to post your SSN to this thread. (Just kidding-- please don’t! ;))