A Patch to Fix the Net

Continued from page 1

Rich Mogull, an analyst with Securosis, says, "This is something that absolutely affects everyone who uses the Internet today." While he notes that most home users won't have to take action to address the flaw, he stresses that it's very important for businesses to make sure that they've covered their bases. "It is an absolutely critical issue that can impede the ability of any business to carry out their normal operations," he says.

Although Kaminsky was careful to avoid giving out too much information about the flaw that he discovered, he did say a few things about the nature of the fix. When a domain name server responds to a request for a website's location, it provides a confirmation code that is one of 65,000 numbers, as assurance that the transaction is authentic. "What has been discovered," Kaminsky says, "is that, for undisclosed reasons, 65,000 is just not enough, and we need a source of more randomness." The new system will require the initial request to include two randomly generated identifiers, instead of the one it now contains. Both identifiers will automatically be returned in the server's response. Kaminsky likens this to sending mail. Before the patch, it was possible to send a letter signed on the inside, but without a return address. After the patch, all "mail" sent from domain name system servers must include both a "signature"--the confirmation code--and the "return address"--the source port information.

Jeff Moss, CEO of Black Hat, a company that organizes conferences on security, stresses the importance, not only of the vulnerability, but also of the approach taken to patching it. "I don't even want to ask Dan [Kaminsky] how much money he could have gotten for this bug had he decided to sell it," Moss says.

Kaminsky says he's glad that vendors were willing to work together to address the flaw. "Something of this scale has not yet happened before," he says. "It is my hope that for any issue of this scale, especially design issues of this scale, this is the sort of thing that we can do in the future." He plans to release full details of the vulnerability next month at the Black Hat security conference in Las Vegas.