Slides. Summary:

• DNS servers had a core bug, that allows arbitrary cache poisoning

– The bug works even when the host is behind a firewall

– There are enough variants of the bug that we needed a stopgap before working on something more complete

• Industry rallied pretty ridiculously to do something about this, with hundreds of milllions protected

• DNS clients are at risk, in certain circumstances

• We are entering (or, perhaps, holding back a little longer) a third age of security research, where all networked apps are “fair game”

– Autoupdate in particular is a mess, broken by design (except for Microsoft)

• SSL is not the panacea it would seem to be

– In fact, SSL certs are themselves dependent on DNS

• DNS bugs ended up creating something of a “skeleton key” across almost all major websites, despite independent implementations

• Internal networks are not at all safe, both from the effects of Java, and from the fact that internal routing could be influenced by external activity

– The whole concept of the fully internal network may be broken – there are just so many business relationships – and, between IPsec not triggering and SSL not being cert-validated, these relationships may not be secure

– We’re not even populating CDN’s securely!

Animation soon.