This had serious implications. Since many "forgot my password" buttons on banking sites rely on email to verify identity, an attacker could press the button, intercept the email, and change the password to anything he wanted. He would then have total access to that bank account.
"We're hosed," Wijngaards thought.
It got worse. Most Internet commerce transactions are encrypted. The encryption is provided by companies like VeriSign. Online vendors visit the VeriSign site and buy the encryption; customers can then be confident that their transactions are secure.
But not anymore. Kaminsky's exploit would allow an attacker to redirect VeriSign's Web traffic to an exact functioning replica of the VeriSign site. The hacker could then offer his own encryption, which, of course, he could unlock later. Unsuspecting vendors would install the encryption and think themselves safe and ready for business. A cornerstone of secure Internet communication was in danger of being destroyed.
David Ulevitch smiled despite himself. The founder of OpenDNS, a company that operates DNS servers worldwide, was witnessing a tour de force—the geek equivalent of Michael Phelps winning his eighth gold medal. As far as Ulevitch was concerned, there had never been a vulnerability of this magnitude that was so easy to use. "This is an amazingly catastrophic attack," he marveled with a mix of grave concern and giddy awe.
It was a difficult flight back to San Francisco for Sandy Wilbourn, vice president of engineering for Nominum, a company hired by broadband providers to supply 150 million customers with DNS service. What he heard in Redmond was overwhelming—a 9 out of 10 on the scale of disasters. He might have given it a 10, but it was likely to keep getting worse. He was going to give this one some room to grow.
One of Wilbourn's immediate concerns was that about 40 percent of the country's broadband Internet ran through his servers. If word of the vulnerability leaked, hackers could quickly compromise those servers.
In his Redwood City, California, office, he isolated a hard drive so no one else in the company could access it. Then he called in his three top engineers, shut the door, and told them that what he was about to say couldn't be shared with anyone—not at home, not at the company. Even their interoffice email would have to be encrypted from now on.