DNSSEC Deployment Lags
DNSSEC has been slow to be accepted by commercial sites, leading a lag in DNSSEC deployment, even though it is the best solution to prevent the exposure to site hijacking. This type of hijacking is possible because of a major flaw in DNS that makes it possible for hackers to launch cache poisoning, found by security researcher Dan Kaminsky 5 years ago. attacks. The effect of the attack can be used to redirect traffic from a legitimate website to a fake one, facilitating a “man in the middle” attack. This vulnerability is very real and effective to reroute traffic to an alternate site. In a recent article in Network World, “5 years after major DNS flaw is discovered, few US companies have deployed long-term fix”, statistics from multiple sources are shared regarding this slow rate of acceptance of DNSSEC.
Secure64 has been tracking this vulnerability very closely and contributed information to the article. As stated in the article, US Federal Government sites are taking the lead in implementing DNSSEC. Regulation is in place requiring the protection, but even with this requirement and compliance monitoring practices, some Federal sites have not completed their implementation of DNSSEC.
We had expected the financial services industry to be very active in protecting their sites via DNSSEC. However, in reality none of the financial services sites we tested have implemented DNSSEC to protect their customers’ information from being misdirected. Financial service providers and customers of financial service companies should be very concerned about the exposure on sites that lack DNSSEC protection.
The reason for not deploying DNSSEC used to be that the top level domains (TLDs) weren’t signed. That is no longer the case, as most of the TLDs support DNSSEC. In addition, several country code TLDs are now signed for DNSSEC as well.
In the Network World Article the increased use of secure socket layer (SSL) certificates is mentioned. SSL is only a piece of securing traffic to a site. With SSL in place it only means that a message is encrypted between the client and the site. It doesn’t necessarily mean that the traffic is going to the intended site. There have been several instances of fraudulent SSL certificates. Within the last month Google and Microsoft issued a warning on certificates that were stolen from an authority in Turkey. The certificates were reportedly being used for a “man in the middle attack”, the situation that DNSSEC is designed to protect. As mentioned earlier, in this type of attack, traffic is tricked into going to another site. More than an SSL certificate is required to prevent a site’s traffic from being hijacked in this manner. In Brazil, all online banking web sites must have DNSSEC. That is the minimal level of protection they feel is necessary to assure that financial transactions and information aren’t compromised.
If you are wondering about putting DNSSEC in place, Secure64 can provide you with a means to do this in the most secure manner possible.