From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 04:59:34 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9DF5106566B for ; Thu, 10 Jul 2008 04:59:34 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: from dfmm.org (treehorn.dfmm.org [66.180.195.213]) by mx1.freebsd.org (Postfix) with ESMTP id 971268FC17 for ; Thu, 10 Jul 2008 04:59:34 +0000 (UTC) (envelope-from freebsd-security@dfmm.org) Received: (qmail 812 invoked by uid 1000); 10 Jul 2008 04:59:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Jul 2008 04:59:34 -0000 Date: Wed, 9 Jul 2008 21:59:33 -0700 (PDT) From: Jason Stone X-X-Sender: jason@treehorn.dfmm.org To: Chris Palmer In-Reply-To: <20080710002749.GK55473@noncombatant.org> Message-ID: References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709182340.GD55473@noncombatant.org> <4875481E.4000100@kernel32.de> <20080709235204.GB72293@root.ucsc.edu> <20080710002749.GK55473@noncombatant.org> User-Agent: Alpine 1.00 (BSF 882 2007-12-20) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Mark Boolootian , freebsd-security@freebsd.org Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 04:59:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> Everyone that uses the Internet depends on the security of DNS. > That's too bad, because DNS never made any security guarantees. When you > ask to resolve www.google.com, the answer does not mean "www.google.com > is on the network at 74.125.19.104." It means "As far as we can tell at > the moment, www.google.com might be on the network at 74.125.19.104, or > that might be a total lie. Good luck! P.S.: Lying is very easy." > > There are no guarantees of authentication, authorization, or integrity. Yes, yes, DNS makes no security guarantees, it's always been vulnerable, this is old old news. But answer truthfully: have you never launched a browser and typed "www.google.com" into it? I suspect that you have. So this affects you too. So you say, "But I don't send important information over that connection, nor do I trust the information I get back?" Maybe. I think that the AOL data leak fiasco proved that, while people don't generally think of search queries as sensitive, they really kind of are. And you almost certainly place _some_ trust in the results you get back; I mean, you're not reading them purely as fiction. But let's leave that aside for a second and assume it's true: you genuinely don't care about privacy or tampering while you're just casually surfing. That's not what's at issue; what's at issue is that you're choosing to let unknown and untrusted sites inject arbitrary data into your web browser. And your browser has more exploitable bugs in it than you can shake a stick at. It doesn't matter which browser you use -- IE, Firefox, Safari, Opera, Lynx, w3m -- I guarantee you, it has more holes than you can shake a stick at. You could run it in a chroot, or with a different UID from your normal user... but you don't. So, if your DNS resolver is vulnerable to cache poisoning, then every time you casually surf the web, you're allowing for the possibility that you will get spoofed, surf to some malware site, get served a browser exploit, and get 0wned. This is not just theoretical; check old CERT advisories, attackers have been exploiting DNS cache vulnerabilities in home/soho routers/WAPs/firewalls for a while now. So a DNS vulnerability that would make it easy to poison the resolvers of very large numbers of clients is a huge deal. I agree that DNSSEC is the real solution. I also think that making it easy (or even possible) to sandbox the browsers is a real solution. I think that using strong crypto everywhere and making fine-grained capabilities and MAC systems ubiquitous is also a real solution. But that's just not the reality we have today. And having the reality we have today, it's absolutely critical to make the existing, insecure DNS system as secure as it can be. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFIdZc1swXMWWtptckRAtFqAKCA++pDoal7FEr13hXIWJ9h+iYA2gCfTVyQ 5AXA7BRSqX0ToHayLgGB0PA= =c7gM -----END PGP SIGNATURE-----