DNS still vulnerable, Bernstein says

CHICAGO, Thursday 7 August 2008 - Do you bank over the Internet? If so,
beware: recent Internet patches don't stop determined attackers.

Network administrators have been rushing to deploy DNS source-port
randomization patches in response to an attack announced by security
researcher Dan Kaminsky last month. But the inventor of source-port
randomization said today that new security solutions are needed to
protect the Internet infrastructure.

"Anyone who knows what he's doing can easily steal your email and insert
fake web pages into your browser, even after you've patched," said
cryptographer Daniel J. Bernstein, a professor in the Center for
Research and Instruction in Technologies for Electronic Security (RITES)
at the University of Illinois at Chicago.

Bernstein's DJBDNS software introduced source-port randomization in
1999 and is now estimated to have tens of millions of users. Bernstein
released the DJBDNS copyright at the end of last year.

Kaminsky said at the Black Hat conference yesterday that 120,000,000
Internet users were now protected by patches using Bernstein's
randomization idea. But Bernstein criticized this idea, saying that it
was "at best a speed bump for blind attackers" and "an extremely poor
substitute for proper cryptographic protection."

DNSSEC, a cryptographic version of DNS, has been in development since
1993 but is still not operational. Bernstein said that DNSSEC offers "a
surprisingly low level of security" while causing severe problems for
DNS reliability and performance.

"We need to stop wasting time on breakable patches," Bernstein said. He
called for development of DNSSEC alternatives that quickly and securely
reject every forged DNS packet.

Press contact: Daniel J. Bernstein