Learning from Dan Bernstein
Dan Bernstein (DJB) is someone who you’ve probably never heard of – yet his work has covered an astonishing amount of territory and benefited everyone who today uses the Internet or e-commerce. His achievements include forcing the US government to allow import/export of cryptography, working out how to protect the Internet from debilitating attacks, writing what may be the world’s most secure email server (used on over 700,000 servers), and discovering faster algorithms in key areas of mathematics.
Unfortunately, despite all this, most of the world decided to ignore him when he claimed 8 years ago that DNS can be forged. In order to counteract these problems he even wrote his own DNS server (djbdns). Most people didn’t use it, instead using the far less secure BIND server. (I don’t know why – I’ve been using djbdns for 8 years and it’s faster, easier to use, and more reliable than BIND.)
So, to those who know the history, it wasn’t so surprising to learn that the huge security hole that hit most of the Internet last month would have been nearly entirely avoided if only they had used DJB’s DNS software.
I’ve been going back over DJB’s writings on the topic of DNS to see what else he’s been trying to tell us. One of the pages that came up (from 1999!) was his description of how even SSL-secured web sites are vulnerable to DNS attacks. SSL "security" has not improved at all since then – it’s still incredibly easy to create an effective phishing site.
This all goes to show that, if there’s anything we can learn from history, it’s that we very rarely learn from history…