“SSL’s not the panacea we would like it to be,” he said.

Another major problem has been what Kaminsky says is the “forgot my password” attack. This affects many companies that have Web-based password recovery systems. Criminals could claim to have forgotten a user’s password to the Web site and then use DNS hacking techniques to trick the site into sending the password to their own computer.

In addition to the DNS vendors, Kaminsky said he’d worked with companies such as Google, Facebook, Yahoo and eBay to fix the various problems related to the flaw. “I do not want to see my cell phone bill this month,” he said.

Although some conference attendees said Wednesday that Kaminsky’s talk was overhyped, OpenDNS CEO David Ulevitch said that the IOActive researcher has performed a valuable service to the Internet community. “The entire scope of the attack is even yet to be fully realized,” he said. “This affects every single person on the Internet.” 

© 2007 Network World Inc.