The other day a security bulletin was published and patches released for a vulnerability in DNS — essentially the switchboard protocol of the Internet. This is an interesting case because the exact details of the vulnerability have not yet been released (but are scheduled to be in about a month or so). There’s an article with more detail here, and a little applet to check whether or not you are vulnerable here.
This exploit comes with the potential to do a lot of harm, because only the DNS server needs to be compromised (and can be done so remotely). In essence, it could be the ultimate man-in-the-middle attack, enticing thousands of ordinary users to cough up their personal details without so much as a glimmer of anything suspicious going on. This is undoubtedly the reason why extraordinary measures were taken to allow vendors to simultaneously patch the exploit and try to minimize its impact.
For me, there are a number of concerns here. First, naturally, is the security of my personal Internet usage:
- Is my machine safe? (Well, it’s completely patched up now, which is supposedly good enough.)
- Is my upstream Internet connection safe? A bit of Internet research reveals that the Tomato router software I’m running is apparently only vulnerable to DNS queries occurring on the LAN (br0). I took this opportunity to patch to the latest build of Tomato, just in case, although a new one with an updated version of dnsmasq is expected shortly.I assume that my ISP will also get their act together and patch in a timely fashion. If not, I’ll be on the phone with them.
Next up are concerns about the hosting for my personal and business sites. Depending on how a hosting business is run, there may be some additional obstacles that need to be negotiated to get things patched up. For example, Windows virtualization environments may need to have specific patches created for them, because they can’t use the normal Windows Update system. Right now, this front is “in progress.”
(One good thing that came out of this is that my paranoia finally pushed me into fixing the self-signed certificate for my business site, and properly installing it on my home machine. Properly-validated SSL connections should not be vulnerable to any shenanigans that may result from the DNS vulnerability.)