Dailydave mailing list archives
Re: The audacity of thinking you're not owned
From: Halvar Flake <halvar () gmx de>
Date: Sun, 13 Jul 2008 13:43:49 +0200
Hey all,
Supplemental note to Halvar & everybody else who has said, in effect, "this is why SSL was invented" -- there's more to internet security than the
route
from your computer to your online bank. Have you thought about what this bug implies for NTLM? Or every virgin OS installation on the planet? Or Google's entire business model?
just to clarify: I did not say this bug wasn't relevant, and I don't
want my blog post to be construed
in that manner. What I did say was:
1. The average user always has to assume that his GW is owned, hence
nothing changes for him. Specifically:
he does not need to worry more than usual. Check SSL certificates,
check host fingerprints. Don't use plaintext
protocols.
2. For those providing DNS services, it is clearly preferrable to patch.
A DNS system without trivial poisoning is
preferrable to one with trivial poisoning.
3. In living memory, we have survived repeated Bind remote exploits, SSH
remote exploits, a good number of
OpenSSL remote exploits etc. -- I argue that the following
inequality holds:
OpenSSL remote >= OpenSSH remote > Bind remote > easy DNS poisoning
I argue this because the left-hand side usually implies the
right-hand side given some time & creativity.
The net has survived much worse.
So I guess summary is: Good find, definitely useful for an attacker, but
we have survived much
worse without a need for the great-vendor-coordination jazz.
Cheers,
Halvar
PS: I am aware that my sangfroid could be likened to a russian roulette
player, that after winning 4 games concludes:
"This game clearly isn't dangerous."
PPS: It seems that we will find many more critical issues in DNS over
the next weeks - it's the first time
in years that a significant quantity of people look at the protocol /
implementations.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The audacity of thinking you're not owned Dave Aitel (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)
- Re: The audacity of thinking you're not owned Brandon Enright (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)
- Re: The audacity of thinking you're not owned Halvar Flake (Jul 13)
- Re: The audacity of thinking you're not owned Jason Ross (Jul 13)
- Re: The audacity of thinking you're not owned Thomas Pollet (Jul 14)
- Re: The audacity of thinking you're not owned Jon Oberheide (Jul 14)
- Re: The audacity of thinking you're not owned Thomas Pollet (Jul 14)
- Re: The audacity of thinking you're not owned Brandon Enright (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)