Cache poisoning vulnerability found in BIND [LWN.net]

Cache poisoning vulnerability found in BIND

Posted Jul 26, 2007 2:15 UTC (Thu) by elanthis (subscriber, #6227)
Parent article: Cache poisoning vulnerability found in BIND

Fortunately, SSL solves this problem for secure sites. Even if you end up at the attacker's site, you will get an invalid cert warning.

One of the things IE7 does far, far better than Firefox is the invalid SSL cert dialog. On Firefox, you get a popup. Users just hit OK. On IE7, you get a big huge scary warning page that makes it very clear something is wrong.

One of our support guys asked me the other day what the weird popup he was getting was all about. He'd been getting it for a few weeks, but had always hit OK and never bothered reading it. He got a phone call from a user on IE7 who was freaking out about a funny page that always came up before the site that said his site was insecure and broken. The SSL cert on the client's site had expired. Our relatively experience tech hadn't realized because he, like 99% of users, ignore popups and hit OK, where-as the client on IE7 was given a very visible and difficult to ignore warning.

Firefox should be doing the same thing as IE7. I'd go so far as to say that it should even just refuse to access sites with invalid SSL certs unless the user manually adds it to a white-list, and even then it should give the IE7 warning. The only reason you should ever have to use an invalid cert is for testing, and if you're just testing you can put up with the hassle.

(Log in to post comments)

Cache poisoning vulnerability found in BIND

Posted Jul 26, 2007 13:13 UTC (Thu) by nix (subscriber, #2304) [Link]

SSL solves it? Not hardly, given that huge numbers of sites use outdated certs and a lot use self-signing. Most people just click 'accept' when asked: they certainly don't look at the cert's content, and even if they did, would they be able to spot a false one, what with VeriSign and others doing minimal verification of applicant identity beyond `do they have a credit card'. (Credit cards are, after all, so very had to get: my friend's daughter could have half a dozen by now, and she's less than a year old).

Cache poisoning vulnerability found in BIND

Posted Jul 26, 2007 13:15 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Ah, you're not thinking like a security professional.

Suppose we make it so that _invalid_ certificates just don't work

Attackers may be able to obtain an _expired_ certificate, but that's OK we'll make sure those don't work either.

Or they can create a _self-signed_ certificate just as easily. Maybe we should make those not work?

At this point users will refuse to use your browser, because lots of sites that are concerned about snooping, but not about impersonation, use SSL with certificates that are self-signed (or signed by an unknown CA) to avoid the high cost of a "real" SSL certificate. Users will go to great lengths to bypass security that they regard as excessive or unwieldy.

Since, to an attacker, invalid and self-signed certificates are just as easy to make / obtain, there is no point to what IE did here AFAICT.

Cache poisoning vulnerability found in BIND

Posted Jul 29, 2007 23:49 UTC (Sun) by dlang (subscriber, #313) [Link]

as for avoiding the "high cost of 'real' SSL certs", they are only really expensive if you buy them from the wrong place. you can get 'real' ssl certs for <$100 individually, and if you are a company that needs a lot of them you can get them in quantity for <$50 (you also don't have to get certs that expire after one year either)

the fact that some people think it's necessary to pay $900 per year for a cert is a testimate to stupidity and marketing.

and frankly if you consider $50 or $100 too expensive then I question if what you are protecting is worth bothering with SSL in the first place.

Self signed certs are not a problem if you use them properly and have the users tell their browsers to install it as a valid cert, but just using them without giving the users a way to do this and expecting them to click through the cert warning is bad for everyone and provides little security to your users.

SSL Certificate costs...

Posted Jul 30, 2007 15:28 UTC (Mon) by cdmiller (subscriber, #2813) [Link]

If you have 50 FQDN's that need SSL, your looking at a $2500 - $5000 per year expense. Is that a lot to pay given the questionable trustworthiness of the major cert vendors, and the ease of generating a self signed certificate? For $5000 one can easily find hardware capable of hosting 50 domains, an additional $5k can make this redundant, so the current cost of a "browser approved" SSL cert is exorbitant in many situations.

Cache poisoning vulnerability found in BIND

Posted Jul 31, 2007 11:26 UTC (Tue) by cortana (subscriber, #24596) [Link]

... lots of sites that are concerned about snooping, but not about impersonation, use SSL with certificates that are self-signed (or signed by an unknown CA) to avoid the high cost of a "real" SSL certificate.

But the assurance that one is not being snooped strictly requires the assurance that one is not being impersonated.

Cache poisoning vulnerability found in BIND

Posted Jul 31, 2007 16:02 UTC (Tue) by zlynx (subscriber, #2285) [Link]

Using a self-signed SSL cert still raises the bar considerably. Especially if you immediately save it in your cert DB. Just like using SSH and saving the remote system key for the first time.

SSL doesn't solve everything

Posted Jul 31, 2007 16:17 UTC (Tue) by kevinbsmith (subscriber, #4778) [Link]

SSL doesn't quite solve the problem for "normal" end-users. How many people bother to type in https when they go to paypal (or ebay, or their bank)? Most just navigate to the non-SSL site, which automatically redirects them to the SSL version.

The attacker can redirect them to a non-SSL site that looks like the real SSL site, or to an SSL site with a different domain and therefore a valid cert.

Bookmarks (to the SSL site) can avoid that problem, but users won't always use their bookmarks.