I’m wading deep into unfamiliar water here, so take my assessment with a grain of salt because I’m not sure I’m describing it totally accurately. But this strikes me as a Big Deal that needs to be disseminated as far and wide as possible, and quickly.
This weekend a relatively recent DNS flaw finally crossed my radar. Knowledge of the problem has been public for a few weeks, but the threat escalated over the past few days as proof of concept exploits have started showing up and reports of actual attacks have filtered in. This a flaw in the Domain Name System, a fundamental piece of the internet’s infrastructure, that allows an attacker to redirect your internet connection. It has been described one of the most significant internet security problems in the past decade.
For example, you might type
gmail.com into your browser’s address bar, and instead of reaching Google’s servers, the attacker would be able to serve whatever he or she wishes. They may give you a harmless spam site, but it would be just as easy for the attacker to clone GMail and make it look authentic. As soon as you attempt to log in, the attacker has your username and password, and your account is, as they say, pwned. (It occurs to me they may not be able to replicate the security certificate so there might be warning signs, but given that most people will assume they’ve correctly reached the legitimate GMail those will likely be overlooked.)
It could be GMail, it could be your bank, it could be every single web site you visit. With this flaw in an unpatched state, you essentially cannot trust domain names.
The good news is that vendors of server software have already (for the most part) released patches that fix this security hole. This is a problem that service providers should be addressing, not necessarily end users like you or me.
But the bad news is that your particular DNS server may or may not have applied the patch. Go to DoxPara Research and hit the “Check My DNS” button to see if your computer is vulnerable. Mine was.
In that case, what you can do to immediately protect yourself is stop using your service provider’s DNS and switch over to OpenDNS, a free ad-run alternative that stays up to date with their patches. I’ve pointed my computers and my routers at the service, and aside from the peace of mind, I’m tempted to say DNS resolution feels a bit faster too. Your mileage may vary, as speed is very geography-specific and I happen to be near one of their datacenters.
But wait, there’s more. Further bad news for anyone using Apple products: no patch exists yet, the theory being that the recent tumultuous iPhone 3G and MobileMe product launches have been too distracting. Whatever the reason, if you use Apple operating systems, even with OpenDNS you are still vulnerable until a patch is available. OS X Servers are more likely targets for potential attacks, but even desktop computers are not totally safe.
So, um, cross your fingers?
(If I’ve missed nuances about the situation or mischaracterized anything, please feel free to add additional information in the comments.)