Dailydave mailing list archives
Re: The audacity of thinking you're not owned
From: Halvar Flake <halvar () gmx de>
Date: Sun, 13 Jul 2008 13:43:49 +0200
Hey all,
Supplemental note to Halvar & everybody else who has said, in effect, "this is why SSL was invented" -- there's more to internet security than the
route
from your computer to your online bank. Have you thought about what this bug implies for NTLM? Or every virgin OS installation on the planet? Or Google's entire business model?
just to clarify: I did not say this bug wasn't relevant, and I don't want my blog post to be construed in that manner. What I did say was: 1. The average user always has to assume that his GW is owned, hence nothing changes for him. Specifically: he does not need to worry more than usual. Check SSL certificates, check host fingerprints. Don't use plaintext protocols. 2. For those providing DNS services, it is clearly preferrable to patch. A DNS system without trivial poisoning is preferrable to one with trivial poisoning. 3. In living memory, we have survived repeated Bind remote exploits, SSH remote exploits, a good number of OpenSSL remote exploits etc. -- I argue that the following inequality holds: OpenSSL remote >= OpenSSH remote > Bind remote > easy DNS poisoning I argue this because the left-hand side usually implies the right-hand side given some time & creativity. The net has survived much worse. So I guess summary is: Good find, definitely useful for an attacker, but we have survived much worse without a need for the great-vendor-coordination jazz. Cheers, Halvar PS: I am aware that my sangfroid could be likened to a russian roulette player, that after winning 4 games concludes: "This game clearly isn't dangerous." PPS: It seems that we will find many more critical issues in DNS over the next weeks - it's the first time in years that a significant quantity of people look at the protocol / implementations. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The audacity of thinking you're not owned Dave Aitel (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)
- Re: The audacity of thinking you're not owned Brandon Enright (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)
- Re: The audacity of thinking you're not owned Halvar Flake (Jul 13)
- Re: The audacity of thinking you're not owned Jason Ross (Jul 13)
- Re: The audacity of thinking you're not owned Thomas Pollet (Jul 14)
- Re: The audacity of thinking you're not owned Jon Oberheide (Jul 14)
- Re: The audacity of thinking you're not owned Thomas Pollet (Jul 14)
- Re: The audacity of thinking you're not owned Brandon Enright (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)