Technology Review
A protocol that could make the Internet more secure is finally being implemented.
A core element of the Internet that helps millions of computer systems locate each other is finally getting a much-needed upgrade. The domain name system (DNS) works a lot like the Internet's phone book, translating the URLs that users type into a browser into the numerical addresses used to identify the servers that host the requested site.
Recently, this 30-year-old system has begun showing its age.
Last year, a team of high-profile security researchers raced to repair a critical flaw in DNS that made it possible to hijack legitimate communications, potentially directing unsuspecting Web surfers to malicious Web pages. The patch that the team came up with reduced the immediate danger but wasn't meant to be a permanent solution.
For a long-term fix, many experts are now looking to DNSSEC, a protocol that verifies DNS messages with digital signatures. The Public Interest Registry, which handles the .org domain, is implementing DNSSEC across all Web addresses ending with this suffix, and it plans to complete the first phase of the process early this year. The U.S. government has committed to turning on DNSSEC for .gov as well, and the newly formed DNSSEC Industry Coalition is pushing to get the protocol adopted even more widely.
This is something of a turnaround. In the 14 years since DNSSEC was first conceived, the protocol struggled to gain widespread adoption because it was seen to unnecessarily increase the complexity of implementing DNS. The key to the DNS flaw discovered last year is that the protocol was designed during a more trusting time and does not bother to authenticate information. Dan Kaminsky, director of penetration testing at IOActive, a security company based in Seattle, realized that, if an attacker could worm his way into a DNS communication, he could redirect Web traffic in almost any way. Features have been added to DNS to reduce the threat that messages will be hijacked, but DNSSEC adds real authentication to the system for the first time.
Alexa Raad, CEO of the Public Interest Registry, notes that someone had to be the first to implement the new protocol. Before now, she says, the organizations responsible for domain names weren't moving to integrate DNSSEC because they'd either be sending out credentials to servers that weren't listening for them, or they'd be listening for credentials that wouldn't be there. Raad says that the Public Interest Registry started integrating DNSSEC well before Kaminsky's flaw was announced, hoping to encourage adoption of the protocol by setting an example. The revelations of Kaminsky's flaw simply helped intensify the debate, she says. "For the past two years, a lot of the debate around DNSSEC centered around, 'Do we need it? Are there other technologies? How viable is it?' I think the debate has completely moved away from that. We all understand that DNS is in fact broken. The only solution for that is, in fact, DNSSEC. The debate is now, 'How do we deploy?'"
Secure Internet-address-lookup technology readied for .net and .com domains.
A Web browser loophole could make it easier for crooks to scam the unwary.
In the first Austin Powers movie, there's a great line describing Frau Farbissna as "the founder of the militant wing of the Salvation Army." The centerpiece of that joke was that the Salvation Army was designed to serve peace, not war or aggression - hence the irony in terms. Similarly, DNSSEC is part of the larger proposition called "Internet security" which is basically an attempt to bolt on something safe to something that was established as a system w/o security or borders.
While DNSSEC improves the current model, it's still part of what many experts call "security theatre" because it's paraded around as the big cure for of online security when it's really only a small piece of a very complicated puzzle. Many studies show that users don't check for a lock, let alone inspect the details of a certificate. So really, does DNSSEC really add significant change for the average user? Given the pervasiveness of malware, I don't see much reason to worry about the integrity of websites - I've got a much bigger challenge keeping my own computer safe.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
dtutelman
117 Comments
More trusting times
"The key to the DNS flaw discovered last year is that the protocol was designed during a more trusting time and does not bother to authenticate information."
Most of the protocols underlying the Internet were designed in more trusting times. They are based on ARPAnet, which was conceived in 1969, and many of the principal protocols were operational by the mid-1970s. (IP, TCP, DNS, ICMP, SMTP, FTP, etc)
While ARPA was a defense agency, the network was designed with almost no concern for security. ARPAnet was intended to be a closed community, a collection of academic and think-tank defense contractors. It was years before the traffic and the interconnectivity with other networks became sufficient to challenge the original concept and exploit its weaknesses.
And, in surprisingly large part, the flaws remain. A few reasons:
(1) The net is big enough that it takes great effort to change any well-entrenched protocol.
(2) As far as security is concerned, it can be enforced end-to-end at the application level. (This works for security, but not very well for traffic.)
That's how we got where we are today.
DaveT
Reply