I've given this some thought for quite a while. And recent news has me thinking that big changes are needed if we are to have any chance for safe computing in the future. The latest News.com article (http://news.com.com/Bigger+phishes+ready+to+spawn/2100-7349_3-5656070.html) paints a sobering picture, especially if you extrapolate out from today's hacking crimes to next month's and next year's.

Case in point: DNS poisoning attacks could lead to horrific consequences if software companies/organizations (e.g. Microsoft, Mozilla, Sun, Macromedia) don't change how they distribute software, patches, and upgrades.

95+% of such companies offer their software for download via non-secure web sites. That is, the page(s) from which one downloads their software do not employ secure certificates to authenticate the site's identity. It's not hard to imagine the day when people will run Windows Update to get the latest Microsoft patches and end up downloading & installing trojan horse "root kits" that steal information, undetected, for the rest of the PC's lifetime. The same could happen when fetching the latest Java virtual machine, Flash/Shockwave upgrade, Firefox release, etc.

Off the top of my head, I can think of only 1 or 2 companies that use secure web sites to distribute their software: VanDyke Software (http://www.vandyke.com) (the makers of SecureCRT & SecureFX) and maybe Red Hat. Most of the rest are sitting ducks.

Many of us agonize over choosing the best firewalls, anti-virus/anti-spyware utilities, etc., but these will be of little use with some of the likely attacks we'll be seeing. And when you consider that the average computer user is much less technically savvy than the readers of this forum, the whole situation gets even scarier.

What do other folks here think? Should we legislate the use of secure sites for organizations distributing software to "large" numbers of users? What else can/should we do?

Actually, I was under the impression, correct me if I'm wrong, since I don't use Windows anymore, that Microsoft Updates are digitally signed (the executables themselves) so the security level is roughly equivalent to using a secure site (which is also authenticated by similar methods) from which to download patches. I would agree with you that DNS poisoning attacks could have rather "interesting" effects on the general populace.

The problem with using legislation is that many organizations that distribute software do so beyond national borders; how would even the best legislation, drawn up with input by security experts, hackers, and lawmakers alike (provided everyone can get along long enough to try to solve the problem) be enforced across borders.

My personal opinion is that the only way to really offset this problem is to educate the computer public about the dangers. Although people hear about these stories all the time, many simply don't care enough to take the time and effort to protect themselves. For instance, many open source products make excessive use of GPG (OpenPGP) signatures, which assuming a person downloads the author's public key the first time the software is used, would offer a far greater minimization of risk; however, most people I know (offline, that is), don't even know what PGP is, let alone how to verify signatures. Also, about using secure sites for updates, many people have gotten so used to just clicking yes to security warnings that it might not even help too much on manual updates, although using SSL might help with automated updates.

Well, that's just my two cents. Feel free to rip it up as you like.

William

If a cracker is capable of poisoning DNS servers, can't they simply buy a $10 secure certificate for the domain in question and install it on a server/hosting account they exploit at the same time? Are sercure certs infallible?

--welcome to http://69.5.6.116/

Well, certificate issuers are supposed to do a reasonable amount of research on companies before giving out certificates, but you're right. There have been cases in the past where people posing as employees of a company managed to get authenticated certificates for someone else's domain. A particularly infamous case was when this happened to Microsoft and Verisign. Unfortunately, I lost the link, but you can probably google it. Hopefully, Verisign and other CAs have learned from that lesson, but you never know.

William

Actually, I was under the impression, correct me if I'm wrong, since I don't use Windows anymore, that Microsoft Updates are digitally signed (the executables themselves) so the security level is roughly equivalent to using a secure site (which is also authenticated by similar methods) from which to download patches.That may be true, but if your browser never even arrives at the real Win Updates site, what's to stop the phony site from allowing downloads that appear to behave like an actual Microsoft download (complete with phony security-related dialog-boxes, etc.)? Sure, this would require an impressive software engineering effort, but with the potential payoffs so large, it's only a matter of time.

DNS poisoning is starting to sound like more of a real threat now -- although it's still kind of vague. On the one hand people talk about the root servers being compromised, but then this article (http://computerworld.com.sg/ShowPage.aspx?pagetype=2&articleid=537&pubid=3&issueid=33) suggests that you don't have to do that to screw up an ISP's DNS cache.

Randall

Um, I am not sure how this DNS poisoning is working. I have done DNS poisoning/sniffing on a LAN. It's easy to do. But I don't see how that would work on the internet. I run DNS servers at work and at home and they ask the root name servers directly. Poisoning this would be had. The only way I see this happening is if the ISP's DNS servers are setup to allow updates from the internet. Why you would want to do this, I don't know. :dunno:

Problem is, we've got too many journalists and security "researchers" babbling about this, and not enough internet engineers.

Randall