Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Feds Tighten DNS Security On .Gov

CmdrTaco posted about 6 years ago | from the totally-safe-we-promise dept.

Security 140

alphadogg writes "When you file your taxes online, you want to be sure that the Web site you visit — www.irs.gov — is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency. That's because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet's DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites. DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption."

cancel ×

140 comments

Sorry! There are no comments related to the filter you selected.

Just what they want you to think (4, Insightful)

Punko (784684) | about 6 years ago | (#25102805)

"you can be confident that every U.S. government Web page is being served up by the appropriate agency."

The easiest way entrap a victim is to promote a feeling of security.

Nothing says 'rob me blind' than 'trust us'.

Re:Just what they want you to think (5, Funny)

PainMeds (1301879) | about 6 years ago | (#25102865)

Nothing says 'rob me blind' than 'trust us'.

Which is why this originated from the IRS.

A bar decides to have a contest about ... (5, Funny)

Anonymous Coward | about 6 years ago | (#25103217)

who can squeeze every last drop of juice out of a lemon. So, the local strong guys line up and try....

The first guy, a big burly construction guy give it a try and squeezes the lemon so that nothing comes out.

A big body builder guy walks up and squeezes some more drops out but then nothing.

Another big guy shows up and nothing. Just as the bartender was about to announce a winner, a small, bespectacled fellow wearing a business suit walks up and says in a mousy voice, "Let me try."

Laughter ensues around the bar and they hand him the lemon. He squeezes and out pours more juice and he's declared the winner. The body builder asks, "How did you do that ?!?"

The little guy answers, "I work for the IRS."

Re:Just what they want you to think (5, Funny)

noidentity (188756) | about 6 years ago | (#25103393)

On a similar note,

When you file your taxes online, you want to be sure that the Web site you visit -- www.irs.gov -- is operated by the Internal Revenue Service and not a scam artist

Wait, those are two different things?

Re:Just what they want you to think (4, Funny)

Anonymous Coward | about 6 years ago | (#25105441)

The IRS is not a scam artist... it is a protection racket.

And generally, yeah, you want to make sure you pay the right guy in a protection racket.

Congress is the theif, IRS is just the tool (0)

Anonymous Coward | about 6 years ago | (#25105443)

The IRS doesn't get to set the tax rates. Congress does. If you don't like being taxed to death, take it up with the real villians.

IRS is just a lap dog.

Re:Congress is the theif, IRS is just the tool (1)

hclewk (1248568) | about 6 years ago | (#25108517)

Yeah, but it is a bloated, bureaucratic lap dog.

Re:Just what they want you to think (1)

Pecisk (688001) | about 6 years ago | (#25104063)

Paranoia modded up as insightful - yeah, what I'm talking about, this is Slashdot. Seemingly lacking touch with "real life" (tm).

Re:Just what they want you to think (1)

megamerican (1073936) | about 6 years ago | (#25104153)

Nothing says 'rob me blind' than 'trust us'.

Everyone trusts them that it is the law that you must file your tax return. Wouldn't that violate the 5th amendment? [wikipedia.org]

...nor shall be compelled in any criminal case to be a witness against himself...

You can be criminally charged for not filing your taxes and for filing your taxes incorrectly.

However, I must stress that you should pay your taxes because the IRS probably has more guns, lawyers and judges than you do!

Re:Just what they want you to think (1)

Talderas (1212466) | about 6 years ago | (#25105001)

Did someone say 16th Amendment?

Re:Just what they want you to think (0)

Anonymous Coward | about 6 years ago | (#25108093)

However, I must stress that you should pay your taxes because the IRS probably has more guns, lawyers and judges than you do!

They may have more guns than I do, but not more guns than we do.

Re:Just what they want you to think (4, Insightful)

jonaskoelker (922170) | about 6 years ago | (#25107753)

"you can be confident that every U.S. government Web page is being served up by the appropriate agency."

The easiest way entrap a victim is to promote a feeling of security.

I would venture a guess: any visitor to *.gov who doesn't know what a packet is (i.e. at least 95% of the public) will already feel secure. Also, since the difference between secure DNS and insecure DNS will be absolutely invisible to them (presumably), they won't feel any more or less secure now. Or they won't know what the difference between the green padlock and the yellow padlock is. At any mention of the secure DNS in the press, these 95% of visitors will have forgotten about it the next day [just as I might].

Bottom line: no one who doesn't deal with computers either professionally or as a hobby will notice. Their feeling of security will be unaffected.

Glad they fixed that (2, Insightful)

Anonymous Coward | about 6 years ago | (#25102837)

Now I can be sure I'm giving the IRS my money and not some other scam artist. I mean, not some scam artist. (:

Spam Can Bypass God (2, Funny)

mfh (56) | about 6 years ago | (#25102873)

Yes, but with this handy +4 magic marker, spammers can bypass the multi-trillion dollar infrastructure and pwn your inbox.

IRS vs. Scam Artists? (1)

rodney dill (631059) | about 6 years ago | (#25102907)

Come se come sa

Re:IRS vs. Scam Artists? (1)

cmaurand (768570) | about 6 years ago | (#25103119)

You're tag line: Use your head, can't you, use your head, You're on earth, there's no cure for that needs editing. It should read: Use your head. Can't you, use your head? You're on earth. There's no cure for that.

Re:IRS vs. Scam Artists? (0)

Anonymous Coward | about 6 years ago | (#25103283)

You're tag line:

The only thing sadder than a Grammar Nazi is a failed Grammar Nazi...

Re:IRS vs. Scam Artists? (1)

rodney dill (631059) | about 6 years ago | (#25103789)

It's a quote from Sam Beckett's Endgame, which contains no '?' in any reference that I have found. There is no room to credit Sam Beckett in the sig.

Re:IRS vs. Scam Artists? (1)

GundamFan (848341) | about 6 years ago | (#25104495)

Not that I'm an expert but given that it is a quotation the sentence, while technically not correct, could very well accurately represent what Mr. Beckett said or wrote. Please post a link to the quote on a reputable site so we can figure out which version is correct.

Re:IRS vs. Scam Artists? (1)

Sique (173459) | about 6 years ago | (#25103169)

Comme ci, comme ca. (the c with an Cedille, but Slashdot doesn't know how to print that.)

Re:IRS vs. Scam Artists? (2, Informative)

psmears (629712) | about 6 years ago | (#25103309)

Yes it can—comme ça!

(you need to use HTML character entities: "comme ça". Slashdot only supports some—a fairly arbitrary subset—of these.)

Re:IRS vs. Scam Artists? (1)

Sique (173459) | about 6 years ago | (#25103447)

A ce façon?

Why do I don't think it'd help? (1)

kabocox (199019) | about 6 years ago | (#25102933)

It sounds like a good idea... Why do I feel that this is a user problem though that won't be fixed by a techy fix?

When I read the headline, I thought that they were going to make sure everyone that uses the .gov domain was an actual government agency and not scam artists... That's some thing I'd hope that they are doing now, but I wouldn't hold my breath on it.

The thing is this won't stop a stupid person from following irs-im-a-stupid-user-.com, .tv, .org, or .net.

Re:Why do I don't think it'd help? (0)

Anonymous Coward | about 6 years ago | (#25103067)

The thing is this won't stop a stupid person

Probably not, but it will make it so the rest of us don't have to memorize every IP/hostname combination in order to make sure we're really in the right place.

If you think SSL solves your worries about identity theft, you have no idea how hilarious it would be for someone to make a fake IRS site with slightly wrong forms and instructions.

Re:Why do I don't think it'd help? (0)

Anonymous Coward | about 6 years ago | (#25107259)

The thing is this won't stop a stupid person from following irs-im-a-stupid-user-.com, .tv, .org, or .net.

True, but for the rest of us it makes sure that irs.gov wasn't hijacked and still points to the government server accepting your tax filing. In other words, without dnssec you can check the link all you want, but you're never really sure if the ip address you get from the dns server is right.

You won't be able to protect people who'll happily send in all their private information to your-irs.dyndyns.org, but you will ensure irs.gov will at least work right, and protect everybody else from dns hijacks.

A percentage of the population will do stupid things and end up turning themselves into victims no matter what, but that does not mean you must leave the door wide open for scammers to turn everybody into victims.

How About They.. (4, Informative)

neoform (551705) | about 6 years ago | (#25102935)

They really need to crack down more on sites like this one: http://www.usagc.org/ [usagc.org] while they're at it.

WIN A FREE GREEN CARD! SIGN UP NOW FREE!*

* $100 entry fee.

Re:How About They.. (0)

Anonymous Coward | about 6 years ago | (#25104717)

I know someone that unknowingly (thinking it was an official government page) started signing up to that in a little desperation for a green card. After they filled out the first page, I saw what they were doing and stopped them. Unfortunately the first page contained their name and phone number. Within 5 minutes, someone started calling them regarding signing up (it was at midnight on the weekend). Scary site and service if they have 24/7 customer support for signing up to get a green card through the lottery.

Re:How About They.. (1)

stealths (1227778) | about 6 years ago | (#25107183)

WOT (Web of Trust) blocked me from that site! FTW!

Good for opportunistic encryption (4, Interesting)

Matt Perry (793115) | about 6 years ago | (#25103011)

If my memory is correct, DNSSEC is one of the prerequisites for making opportunistic encryption easier to deploy widely. I hope this catches on and becomes more widespread.

Re:Good for opportunistic encryption (1)

Lennie (16154) | about 6 years ago | (#25103911)

Totally agree that things like opportunistic encryption would be great, although I'm sure we'll get to see a lot of bugs and issues first before things get better.

Re:Good for opportunistic encryption (1)

incripshin (580256) | about 6 years ago | (#25104297)

And I say 'bring on the bugs'. Only through heavy use will the rough edges disappear. I would rather embrace a technology that makes more sense but with some rough edges, than stable legacy code. Both DNS and DNSSEC have their problems right now, I'm sure, but only DNSSEC has a future.

Now all we need is wide deployment IPv6+IPsec, authenticated BGP, and more accessible certificates for use with SSH/HTTPS/IMAP/etc, and we'll be set.

Re:Good for opportunistic encryption (1)

Lennie (16154) | about 6 years ago | (#25106971)

There is a RFC-draft for using DNSSEC to check BGP-announcements.

A proper secure protocol for doing DNS-updates would be nice to (DHCP-etc.)

And switch vendors starting to implement RA-guard.

Now if only... (2, Insightful)

InvisblePinkUnicorn (1126837) | about 6 years ago | (#25103023)

Now, if only we could be confident about exactly where our taxes are going...

Re:Now if only... (1)

keithius (804090) | about 6 years ago | (#25103527)

Now, if only we could be confident about exactly where our taxes are going...

*sigh* Too true, too true...

Re:Now if only... (1)

megamerican (1073936) | about 6 years ago | (#25104007)

100% of what is collected is absorbed solely by interest on the Federal Debt ... all individual income tax revenues are gone before one nickel is spent on the services taxpayers expect from government.

-Grace Commission report submitted to President Ronald Reagan - January 15, 1984

I'm sure I'll now be called crazy for simply reading a public document released by our own government.

How useful is DNSSEC w/o top-level signed? (4, Interesting)

jamie (78724) | about 6 years ago | (#25103049)

I've been told that DNSSEC is basically just a proof of concept when it's done on a single TLD, not providing much real security. If I understood it right, the main attack DNSSEC is intended to prevent is a man-in-the-middle returning a fake response to your computer's (or your ISP's computer's) DNS query, a fake that it accepts in place of the real response.

If so, then when your ISP queries one of the thirteen root servers for the .gov authority, the attacker could still return a fake response and set himself up as the DNS authority for .gov, at least as far as your ISP knew.

Anyone know how plausible that attack remains? Knowledgeable responses welcome :)

Of course, part of getting DNSSEC set up for the whole internet is seeing how well it plays out in real-world testing, and .gov is the logical place to start. I assume once any kinks are discovered from this rollout, we'll be one step closer to enabling it on the root servers, which will allow any TLD to achieve a real security gain.

Re:How useful is DNSSEC w/o top-level signed? (5, Informative)

jonaskoelker (922170) | about 6 years ago | (#25103339)

I've been told that DNSSEC is basically just a proof of concept when it's done on a single TLD, not providing much real security. [...] If so, then when your ISP queries one of the thirteen root servers for the .gov authority, the attacker could still return a fake response and set himself up as the DNS authority for .gov.

That would be my exact understanding as well.

The details are these: Every node in the DNS tree has a key pair. Everybody knows the public key of the root. Every response to a request contains an answer, and a signature on that answer. As an additional request, you can ask for public keys too.

So, here's the scenario for going to whitehouse.gov, assuming full deployment of DNSSEC:

  1. Ask root for whitehouse.gov
  2. Receive IP of nameserver for .gov [check its signature]. Root may opt to give you the public key of .gov, otherwise ask for it and its check signature.
  3. Ask .gov for whitehouse.gov
  4. Receive IP of whitehouse.gov [check sig]. Also, .gov may opt to give you the public key of whitehouse.gov
  5. Connect, now you know where to go :)

This secures step 4. Step 2 is still not secured. Paul Vixie has given some good talks on DNSSEC and everything else that's wrong with the interwebs ;) See http://www.usenix.org/events/lisa05/tech/mp3/vixie.mp3 [usenix.org] . You may also like http://media.defcon.org/dc-13/audio/2005_Defcon_V7-Paul_Vixie-The_Internets_March_of_Folly.mp3 [defcon.org] .

Re:How useful is DNSSEC w/o top-level signed? (1)

squidguy (846256) | about 6 years ago | (#25103661)

1. Ask root for whitehouse.gov 2. Receive IP of nameserver for .gov [check its signature]. Root may opt to give you the public key of .gov, otherwise ask for it and its check signature. 3. Ask .gov for whitehouse.gov 4. Receive IP of whitehouse.gov [check sig]. Also, .gov may opt to give you the public key of whitehouse.gov 5. Connect, now you know where to go :)

Ah, but it's more fun if you wind up at whitehouse.com

Re:How useful is DNSSEC w/o top-level signed? (1)

Lennie (16154) | about 6 years ago | (#25103823)

You are mostly correct, actually it's even worse.

This creates a false sense of security, because DNSSEC only works for those that support it and only works automatically for those TLD's that have it setup.

There is something called DNSSEC Look-aside Validation (DLV) which DNS-admins can use to validate manually setup validation of a tld or in this case .gov, but I doubt anyone will do it.

The only good thing is the software and procedures get tested better if .gov also starts using it.

And maybe ever DNS-admin 'inside' .gov will setup the DLV manually, that way all communication between .gov's might be better protected.

Re:How useful is DNSSEC w/o top-level signed? (1)

Dolda2000 (759023) | about 6 years ago | (#25104775)

The details are these: Every node in the DNS tree has a key pair. Everybody knows the public key of the root.

That runs against my understanding, though. I can't call myself an expert on DNSSEC, but as I've understood it, a client can have a trust anchor at any node in the tree. Thus, the client can have the public key of the .gov TLD pre-installed and check its replies against it.

In fact, I think it seems haphazard to do otherwise. If the clients only knew and trusted the public key of the root server, then it would both require everyone to trust the root server operators (not that I don't, but I wouldn't want to have to), and it would create a single point of failure. If anyone h4xx3d the root zone's public key, they could fake the entire DNS.

Re:How useful is DNSSEC w/o top-level signed? (1)

spinkham (56603) | about 6 years ago | (#25106889)

For DNSSEC to work, you need either:
1)Signed root
2)signed TLDs with out of band pre-verification
3)DLV.

1) is the future.
2) and 3) are what we are stuck with today, so I'll explain them.

DNSSEC can be rooted anywhere you like, but the lower down the tree you go from the root the more keys you have to manually verify. For .gov to be secure, for example, every recursive DNS server operator would have to manually verify and install the .gov key. And they'd have to update it periodically, probably about yearly. For 2) to work, every DNS op would have to be on top of key rotation, or an out of band verification tool could be written that would depend on GPG, SSL, or other established crypto for verification.

DLV is a solution where someone besides the actual DNS root is treated as the DNSSEC root for anyone who submits their key to the DLV. Right now ISC runs one of these, available here [isc.org] . Previously, VeriSign ran a pilot, but dropped it. Apparently they saw no good way to monetize the service.

Eventually the actual DNS root will be signed, and there is lots of talk about it at the moment, but little action.
St the moment .org, .arpa(reverse lookup), and .gov are moving to deploy DNSSEC themselves.

Note that the root signing issue is more political (i.e. Who holds the keys?) then technical at this point.

Re:How useful is DNSSEC w/o top-level signed? (0)

Anonymous Coward | about 6 years ago | (#25109727)

The ONLY "problem" I had w/ Mr. Vixie's otherwise EXCELLENT 'critique' of what is "WRONG" with the internet, today, as it stands (& IPv6 vs. IPv4, the existence & usage of NAT, & more)?

Well, HE had the opportunity to make some changes, IN THE WAY HE SEES IT, & was invited to be on many of these 'taskforces', & yet, he declined...

Sure, he MAY be busy & all that (such as his mentioning he has to deal with morons that attempt to DDOS or DOS the root DNS servers out there etc. & tracking them down as well), but... who isn't?

I mean - complaining shouldn't be his method, especially when HE had the opportunity to voice his opinions, hopefully solely based on facts, & make changes happen before there WAS a chance to 'bitch about how it is', as he had done in 1 of those 2 presentations (DEFCON).

The guy DEFINITELY knows what he is about, to a very high extent, but... he should have "helped head them off @ the pass", & elected to become part of those taskforces from IETF etc. et al, instead of merely now "bitching about" what most any saavy (or, somewhat TRULY saavy) person online today knows (meaning network engineers really)... he could have "made that difference" long ago, instead of merely voicing complaints @ this point.

Re:How useful is DNSSEC w/o top-level signed? (2, Informative)

Dolda2000 (759023) | about 6 years ago | (#25103705)

I shan't call myself too knowledgeable about DNSSEC, but as far as I've understood it, it should be perfectly secure as long as the client systems have the .gov TLD's public key installed as an anchor of trust. Which they currently don't, of course, but that's another issue.

This can deal with the Chicken-and-egg problem (3, Informative)

dwheeler (321049) | about 6 years ago | (#25103841)

You're quite right, it's perfectly secure if the client systems have the .gov TLD public key. And almost no one does, today. Of course, no one will bother trying to get DNSSEC or these keys until there's something to verify.

This is a classic chicken-and-egg problem. The good news is that the U.S. government _CAN_ require that its OWN sites implement DNSSEC - and once that's done, people who deal with those sites (most U.S. citizens) will have a reason to install DNSSEC and the relevant .gov keys.

What will probably happen is that there will be a Firefox plug-in (if there isn't already) that supplies these keys, and slowly browsers will add support for all this. The result: Accessing these sites will become more secure, over time. Good thing.

Re:This can deal with the Chicken-and-egg problem (2, Informative)

Lennie (16154) | about 6 years ago | (#25104351)

yes, there is one:

http://www.nlnetlabs.nl/dnssec/drill_extension.html [nlnetlabs.nl]

Re:This can deal with the Chicken-and-egg problem (1, Informative)

Anonymous Coward | about 6 years ago | (#25107013)

Your "DRILL" .xpi addon only appears to be compatible w/ FF 1.5-2.x, NOT 3.x (the current series of FireFox)... see the bottom of that page, Lennie.

Re:How useful is DNSSEC w/o top-level signed? (0)

Anonymous Coward | about 6 years ago | (#25104295)

Somehow this is very unlikely to happen, I think.
To pull this off, you have to have access to the ISP core network or DNS servers. Usualy these people are highly qualified and highly paid network engineers. They are not motivated enough compared to the risk to get caught, which is fairly high.
  For my previous empoyer ( a large Telco in Bulgaria) I implemented AAA scheme with TACACS server for all of their network equipment (almost exclusively Cisco). Every network engineer had username and every EXEC (elevated priority) command they used was logged. Configuration of all devices was copied to central repisotory and there was diff history available. So it was fairly trivial to find who changed what. I assume there are similar or even better systems at the large international ISPs.

Because of the nature of their work, when these people (me included) have to deal with something uncertain, thay tend to expect the worst case scenario. Things in the configuration that are "strange" attract attention. So the ISP staff is the least danger in the chain.

Of course if an outsider gains physical access to some of the main traffic cables, it is completely different story ;)

Re:How useful is DNSSEC w/o top-level signed? (1)

ion.simon.c (1183967) | about 6 years ago | (#25106085)

Hell.
DNSSEC is useless w/out DNSSEC aware components throughout the chain. So, this is *not* for you and your Windows machine, this is for:
1) yet another "barrel o' money" govt. contract.
2) those select individuals served by the IT staff that are paid from said contract.

Nothing to see here. Move along.

Re:How useful is DNSSEC w/o top-level signed? (5, Informative)

mpeg4codec (581587) | about 6 years ago | (#25106095)

If so, then when your ISP queries one of the thirteen root servers for the .gov authority, the attacker could still return a fake response and set himself up as the DNS authority for .gov, at least as far as your ISP knew.

Anyone know how plausible that attack remains? Knowledgeable responses welcome :)

First, to answer your question regarding the plausibility: there are a few scenarios in which it is possible. The most likely scenario is that you're on the same local network as an attacker so that he/she can intercept your DNS traffic and forge replies. This might be the case when you're using the wireless provided at a coffee shop, for instance. There exist automated tools to make this simple, and I would consider this the biggest vector of attack. The only other case I can think of is that an attacker has control of a router between you and the root servers. While this is technically possible, I would personally regard it as fairly infeasible for the average attacker. If you're in $THIRD_WORLD_COUNTRY and the mob controls internet access, you might have something to worry about.

I'm involved with a project called SecSpider [ucla.edu] that monitors the deployment of DNSSEC. We use a distributed network of pollers around the world to collect RRsets from all known DNSSEC-enabled zones. One of the reasons we use pollers from different locations is to detect attacks such as either of the two listed above, more likely the latter. If any attack were to occur, we stand the best chance of detecting it. We have been monitoring since 2005 and have yet to see such an attack.

An additional benefit of collecting all these RRsets is that we have what we call a "world-wide perspective" on DNSKEYs. Whenever we collect a set of DNSKEY RRsets from a zone, if the set is consistent across pollers, we add it to our DLV repository. A DLV (DNSSEC lookaside validation) resource record is very similar to a DS (delegation signer) record. It contains a cryptographic hash of the DNSKEYs served by a zone so that the zone's integrity can be checked. However, instead of being served by the zone's parent, it can be served by anyone.

The typical way in which a resolver detects if a zone is secure is by tracing a secure delegation from the root. Instead of the typical manner of starting at the root and querying recursively for NS records, the resolver queries for both NS and DS records. Then when it queries one of the nameservers listed in the NS records, it asks for the DNSKEYs and verifies them using the DS record. In this way, it is possible to build a chain of trust that leads all the way back to the root nameservers.

Unfortunately, without the root being signed, this process will not work. One alternative is to configure your resolver to query for DLV records to bootstrap the process. When your resolver queries a zone for DNSKEY RRs, it will also query the DLV repository for a DLV recording matching that zone. It will then attempt to cryptographically verify the DNSKEYs using that record. If it verifies, you know that someone you trust thinks your DNSKEYs are right, side-stepping the typical chain of trust (thus the name: "lookaside"). If you were to configure your resolver to use our repository, you would be able to verify if the DNSKEYs you receive are the same as the DNSKEYs being seen by all of our pollers around the world. Not perfect security, but definitely an improvement on the current situation.

If you're interested in the details of our project, you can check out our web site or ask me for more details. We have information on how to use our repository in our FAQ [ucla.edu] .

You mention the notion of real-world testing of DNSSEC. It's worth noting that there are actually several TLDs that are currently signed (mostly ccTLDs), as well as a large number of second-level domains. gov is hardly the first, but it should definitely be the highest-profile rollout to date. We're currently waiting with bated breath to see the outcome.

Banks? (0)

mcgrew (92797) | about 6 years ago | (#25103081)

some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites

Might be encouraged? They should be forced to by law!

Re:Banks? (2, Insightful)

Chyeld (713439) | about 6 years ago | (#25104589)

Why? Don't we have enough laws that attempt to legislate technology? Yes it's a desirable technology, but do we really need to be chained to it with a law that two decades from now will solely be an obstacle to implementing the next new desirable technology?

Banks and other businesses will move to it once they see a good business case in doing so. Let that decide matters.

Please understand, I'm not a laissez faire sort of fellow most of the time. But if you have the government start trying to decide how the core mechanics of the internet work, and I guareentee you whatever small benefit you gain from the initial decision will be drowned out by the stagnation that results later on.

Re:Banks? (1)

mcgrew (92797) | about 6 years ago | (#25105065)

Don't we have enough laws that attempt to legislate technology?

This isn't aout legislating technology, it's about protecting Grandma fro the bankers who don't give a rat's patoot whether or not Grandma gets stolen from.

Banks and other businesses will move to it once they see a good business case in doing so

Yes, THEIR interest. I don't care about their interest, I want protection against them. THEIR interest is what has caused the current banking crisis; deregulation has a large part of the current problem.

I wouldn't say "pass a law mandating this technology", I'd say pass a law making them responsible for keeping your identity safe. They can use whatever tech they want, but if somebody phishes Grandma because their security is lax, Grandma should collect triple damages. You can bet your ass they would impliment the strongest measures available. As it is now, they have no incentive whatever to keep grandma safe from their errors.

Re:Banks? (1)

Chyeld (713439) | about 6 years ago | (#25105345)

Banks and other businesses will move to it once they see a good business case in doing so

Yes, THEIR interest. I don't care about their interest, I want protection against them. THEIR interest is what has caused the current banking crisis; deregulation has a large part of the current problem.

Their incentive is the fact that they are already on the hook for Grandma's money if she's scammed.

And as an aside, you do realize that our current crisis

  1. Involved a completely different sort of bank that Grandma keeps her money in.
  2. Was pretty much everyone invovled's fault. From the borrowers who got in over their head and the lenders who took a risk in giving them the money, to the investors who saw morgage backed securities as the next hot thing to make money on.

Putting the blame soley on one part of the equation is rather short sighted and dangerously close to enabling the whole thing to happen all over again when someone decides that a patch on one section is enough to keep the whole shakey setup going.

Re:Banks? (1)

mcgrew (92797) | about 6 years ago | (#25108643)

Their incentive is the fact that they are already on the hook for Grandma's money if she's scammed.

No, I'm afraid you're wrong. I had my car, a book of checks, and my bank card stolen. The woman who stole these things had watched me punch in the PIN number over my shoulder; she was NOT authorized to dip into my account.

The police recovered the car, the bank made good on the forged checks, but not the debit card; if someone has your PIN number, no matter how they get it, they are authorized.

I no longer use a debit card because of that.

And as an aside, you do realize that our current crisis

Yes, I do. I place the blame solely on the Federal government for failaing to live up to its responsibility to regulate the banking industries. And it WILL happen again. With luck we'll all be dead; the last time this happened was in 1929 (not counting the S&L debacle).

Re:Banks? (1)

Chyeld (713439) | about 6 years ago | (#25108957)

No, I'm afraid you're wrong. I had my car, a book of checks, and my bank card stolen. The woman who stole these things had watched me punch in the PIN number over my shoulder; she was NOT authorized to dip into my account.

The police recovered the car, the bank made good on the forged checks, but not the debit card; if someone has your PIN number, no matter how they get it, they are authorized.

I no longer use a debit card because of that.

And this has to do with the current discussion of "grandma" being scammed by a sophisticated internet banking scam how? Are you claiming DNSSEC would have saved you then? You even pointed out that the bank made good on the items that they were on the hook for. Are you claiming you don't think that the scam that poor grandma would fall for isn't something they would be on the hook for? Have any references for that?

I place the blame solely on the Federal government for failaing to live up to its responsibility to regulate the banking industries. And it WILL happen again. With luck we'll all be dead; the last time this happened was in 1929 (not counting the S&L debacle).

You sound like a teenage me blaming my parents for not being perfect. Why don't we actually blame the people who made the mistakes, who presumably were adults and capable of making their own decisions, rather than blame the guy who half the time gets screamed at for interfering and the other half the time gets screamed at for not interfering.

Re:Banks? (2, Insightful)

AnyoneEB (574727) | about 6 years ago | (#25109721)

He is giving an example an attacker getting access to his debit card and the bank taking no liability for it. You are free to complain about him whining because you think he should be the one liable not the bank (that is a different, irrelevant argument), but the topic of discussion is that the bank customer is liable not the bank. This means the bank has no incentive to improve their security. In fact, better security probably costs more -- at least the cost of paying someone to figure out how to fix problems with their current procedures -- so they have a direct financial incentive to keep the security at the current status quo. Although, if the other banks improve, competition may force them to make changes.

Re:Banks? (1)

mcgrew (92797) | about 6 years ago | (#25110097)

You hit the nail on the head. Not a whine, an example. I solved the problem of never knowing when someone is looking over my shoulder by not having a debit card, problem solved.

Re:Banks? (1)

Chyeld (713439) | about 6 years ago | (#25110321)

The point of my comment was not to 'complain about him whining because you think he should be the one liable not the bank', and in fact I didn't.

The point of my comment was to point out that simply because that particular hole exists for debit cards it doesn't have anything to do with the issues he's trying to argue we should have laws 'protecting us' from the banks for.

There are laws in place aready to protect us from those issues. Read up on identity theft law and you will see that the banks are on the hook for it. We don't need more laws simply because he's been bitten once someplace else and is now completely paranoid that the rest of the system is out to get him too.

And regarding the whole "cost" issue, I've had friends that worked in Bank IT Security, and not only did they take it seriously, but they certaintly didn't see the situation to be "maintain the status quo, it costs less". Some of these places make the military and government IT departments look like group of first year LUG members.

The problem is, most identity theft isn't through some 'leet' hacker exploiting an issue that DNSSEC only barely protects against, most identity theft is done the same way it was done centuries ago when it was just plain theft. Through social engineering and taking advantage of those who aren't wary. DNSSEC won't fix that. At best it'll make it a tad harder for someone to pretend to be www.example.com, but they don't do that anyway.

Instead they pretend to be www.example.example.org or some other fake domain designed to look right to "grandma". And this doesn't fix that. All DNSSEC fixes is the potential situation where www.example.com's web site is 'taken over' and pointed to someplace else nefarious.

Re:Banks? (0)

Anonymous Coward | about 6 years ago | (#25106921)

Won't someone think of the grandmas?

SSL, anyone? (2, Insightful)

SanityInAnarchy (655584) | about 6 years ago | (#25103105)

What does DNSSEC buy me if I use https?

And if irs.gov isn't supporting https, wouldn't that be the place to start, rather than DNSSEC?

Re:SSL, anyone? (1)

Chrisq (894406) | about 6 years ago | (#25103251)

Absolutely. Without https you could be subject to a man in the middle attack. This is at least as big a hole as a DNS spoofing/cache poisoning.

They would have been a lot better of going https with extended validation certificates and widely publishing the fact that with a modern browser you should see a green address bar, that would have ensured that dns spoofing and man in the middle attacks would be detected.

Re:SSL, anyone? (1)

Mr Thinly Sliced (73041) | about 6 years ago | (#25103287)

DNSSEC is actually buying the initial phone number (ip address) lookup security. Current DNS is unsecured - if I spot an unsecured phone number lookup go past on the 'net, I can spoof back my phone number - and from there on in even if you use HTTPS you are talking to the wrong person....

In fact, DNS sec is one of the things I'd really like to see widespread adoption of, with it we can actually start to make some headway in turning off the spam (we can reverse lookup who is trying to send the mail, and be *"faily sure" that it is coming from someone we allow to send us mail.

* For interesting values of "faily sure", since of course even DNSSEC relys on a tree of trust, much like SSL certificates.

Mr Thinly Sliced

Re:SSL, anyone? (0)

Anonymous Coward | about 6 years ago | (#25103573)

Current DNS is unsecured - if I spot an unsecured phone number lookup go past on the 'net, I can spoof back my phone number - and from there on in even if you use HTTPS you are talking to the wrong person....

And here I thought that in order for this to work, either you must possess the private key of the site you're spoofing, or the user must accept the warning about the invalid SSL certificate.

Re:SSL, anyone? (1)

Mr Thinly Sliced (73041) | about 6 years ago | (#25103843)

You are absolutely correct - for spoofing with HTTPS to work without provoking some kind of warning, the spoofer needs a "valid" certificate (private key) with a valid correct certificate chain for the domain in question - it doesn't have to be the private key of the real owner... Social engineering for getting such a thing is feasible.

DNSSEC like HTTPS and certificates are all armour against malicious attackers, but as any security guy will tell you, there is no such thing as 100% real security, just various levels of confidence. DNSSEC helps in adding some extra confidence.

But lets not forget how many people just use unsecured site access - I pop along to my bank http site to obtain a phone number to call them....

Re:SSL, anyone? (1)

Giant Electronic Bra (1229876) | about 6 years ago | (#25103345)

The 2 things are orthogonal to each other. DNSSEC insures that the site you go to is ACTUALLY the site you wanted to go to.

HTTPS just encrypts the traffic to/from that site once you get there.

In principle an SSL cert insures that the site is what it claims to be, but there are so many possible ways to fool people on that score that it really isn't all that effective.

Besides, if someone subverts DNS, then basically all bets are off anyway because at that point they have the ability to make any particular URL point where they want, so the opportunities to fool you are legion. Form submissions can easily be sent off to anywhere, etc. You MIGHT see a browser pop up warning at some point, but it is pretty unlikely people will be alarmed by that.

Re:SSL, anyone? (1)

ultranova (717540) | about 6 years ago | (#25103733)

The 2 things are orthogonal to each other. DNSSEC insures that the site you go to is ACTUALLY the site you wanted to go to.

HTTPS just encrypts the traffic to/from that site once you get there.

Not true. HTTPS also includes a certificate-based indentifying system. Otherwise it would be pretty worthless, as nothing would stop a man in the middle from intercepting the initial contact attempt.

Re:SSL, anyone? (1)

hal9000(jr) (316943) | about 6 years ago | (#25103963)

HTTPS also includes a certificate-based indentifying system.

More precisely, SSL/TLS authenticates the server you are talking to based on it's domain name and the certificates common name provided one of the following is true:
  • The servers certificate is signed by a trusted CA. A trusted CA means the CA certificate is in the browsers (in the case of a web browser) certificate store.
  • OR The servers certificate is self-signed, and a copy of that self-signed certificate is in the browsers certificate store. Hopefully you got the self-signed certificate via a trusted source.

You could summ up the difference this way. DNSSEC ensures you IP addressed attached to a hostname resovled via DNS is authentict. SSL Ensures that you are actually talking to the intended host.

Re:SSL, anyone? (1)

Giant Electronic Bra (1229876) | about 6 years ago | (#25104083)

Actually unless BOTH the client and server must present certificates (which is not supported by any web site I know of) then a MITM attack is PERFECTLY feasible over SLL.

It is true that if I'm 'evil hacker' and I spoof your DNS for say www.irs.gov then I have a problem that if that URL is HTTPS I don't have a copy of their SSL certificate and I can't get one that will work without a pop up warning.

HOWEVER that is rarely the case, home pages are always straight HTTP. So evil hacker can now present me with any content he wishes and as far as I can tell it is coming from www.irs.gov, and NOTHING will tell me different, or even could in theory tell me different.

At that point anything I navigate to within that site is under evil hacker's control and there are trivially simple ways evil hacker can present content to me that will be HTTPS and yet be going to whatever site he does control, like simply pointing an insecure FORM at an HTTPS target on a URL evil hacker DOES own (which will have a good SSL cert). Combine that with clever framing and use of some plausible sounding URLs and the probability that the victim will ever notice what's happening is pretty small.

HTTPS is a useful security mechanism, but in the face of compromised DNS it is not at all sufficient. Besides, as I pointed out above, a MITM attack is perfectly feasible and so yet another tool is in the hacker's arsenal, one which is trivial to deploy in the face of DNS spoofing.

Now, lets think really evil for a bit. Suppose I can spoof your DNS. HOW CAN YOU EVER BE SURE ANYTHING YOU DO FROM THEN ON FOREVER is not under my control? I can redirect your email, I can in fact be in the position of controlling EVERY SINGLE INTERACTION you have with ANYTHING from then on. I can take control of your A/V updates, your OS patches, your VOIP, absolutely anything. Not to say it would be worth all the work for evil hacker to do that in all probability, but once I own your DNS, I own your interaction with the network at a deep level.

Re:SSL, anyone? (1)

blueg3 (192743) | about 6 years ago | (#25105029)

This is the well-known "login page is not over https" problem.

Re:SSL, anyone? (1)

Burz (138833) | about 6 years ago | (#25105619)

You don't know what you're blathering (at length, I might add) about.

Operating systems and browsers come with the public keys of the OS distributor and Certificate Authorities built-in. Unless the responses of the spoofer/MITM system can be validated with these crypto keys, then the user will be warned that the remote site is trying to use an invalid cert. But the spoofer doesn't have the private key of the OS Distro or CAs, so they can't generate responses that jibe with the client's crypto.

If you take over my DNS and try to direct me to false HTTPS sites then its a no-go. If the spoofing starts with HTTP then so what? You can't control the browser's address bar and make HTTPS://sitename + the Lock symbol appear.

Re:SSL, anyone? (1)

smoker2 (750216) | about 6 years ago | (#25103813)

I don't agree there. If the US Govt can't get their own Authority key added to the browser (like Thawte, verisign etc) then they're not trying. It's pretty hard to circumvent a built in device by getting a cheapo freessl cert. They could even make it so that when you access such a govt. site, a big popup tells you that you ARE at a govt. site.
It's cheaper to include a new Authority in the browser than change the whole DNS system worldwide.

Re:SSL, anyone? (1)

Giant Electronic Bra (1229876) | about 6 years ago | (#25104419)

Sure, but if I control your DNS I can just patch your browser to do whatever I want... So for example I can install my own root cert.

DNS HAS to be secure, all other aspects of security on the net indirectly depend on the integrity of DNS, and once that is gone, then you have already lost all other battles. Its game over.

Re:SSL, anyone? (1)

blueg3 (192743) | about 6 years ago | (#25105173)

Except that automatic-update systems, such as what you would use to patch the browser against the user's will, only accept signed packages. You can hijack the domain name and send them all the malicious data you want, but they won't install it for you, because the browser doesn't implicitly trust the domain name.

DNS does not *have* to be secure. It just makes it much more convenient.

Scam (2, Informative)

Arthur B. (806360) | about 6 years ago | (#25103111)

www.irs.gov â" is operated by the Internal Revenue Service and not a scam artist

www.irs.gov is operated by a scam artist

There, fix that for you.

Re:Scam (0)

Anonymous Coward | about 6 years ago | (#25107945)

Hi Authur,

I'm with the IRS homeland security department and would like to look into those scams. Please provide your social security number and we'll get back to you ASAP.

Regards,
Tax D Man

I wish they had thought of that (2, Funny)

Chrisq (894406) | about 6 years ago | (#25103201)

Before I took up their cash-in hand job offer to deliver a package to their embassy in Islamabad. I've started to wonder whether the ticking really is an alarm clock. ;-)

Re:I wish they had thought of that (1)

jonaskoelker (922170) | about 6 years ago | (#25107899)

Before I took up their cash-in hand job offer

So did you get the hand job in your sweet ass-car? ;)

Oh no (1)

otacon (445694) | about 6 years ago | (#25103229)

So when I went to the IRS site to pay my taxes and it said I was the 1 millionth visitor and won an iPhone, that wasn't real? Now I kno why I've been waiting months for this thing to come in the mail.

HOORAY. This is a GOOD THING. (3, Insightful)

dwheeler (321049) | about 6 years ago | (#25103317)

This won't solve all the problems of the universe, but this is a GOOD THING. Securing DNS is absolutely critical to making the Internet a safer place. If I type in "irs.gov", I want to go to "irs.gov", not some spam site, and this helps me get there. DNSSEC can provide IP addresses with a strong guarantee that the IP addresses are actually correct. DNSSEC can even provide other keys, and make it possible to EASILY send secure emails without having to do a key exchange ahead-of-time. See, for example: http://www.dwheeler.com/essays/easy-email-sec.html [dwheeler.com]

Re:HOORAY. This is a GOOD THING. (0)

Anonymous Coward | about 6 years ago | (#25106013)

This won't solve all the problems of the universe, but this is a GOOD THING. Securing DNS is absolutely critical to making the Internet a safer place. If I type in "irs.gov", I want to go to "irs.gov", not some spam site, and this helps me get there.

Irs.gov being irs.gov can be verified with HTTPS and SSL/TLS.

DNSSEC can provide IP addresses with a strong guarantee that the IP addresses are actually correct.

Yes, but having the correct IP address doesn't still prevent man-in-the-middle attacks or re-routing your traffic. HTTPS and SSL/TLS, on the other hand, would guarantee that you're talking to the correct endpoint.

DNSSEC can even provide other keys, and make it possible to EASILY send secure emails without having to do a key exchange ahead-of-time. See, for example:
http://www.dwheeler.com/essays/easy-email-sec.html [dwheeler.com]

Easily? Did you read the text behind the link yourself? Non-DNS key from DNS to access LDAP to and fetch user keys via some 'not-yet-available' mapping?

What's wrong with using plain LDAP to fetch a certificate, verify certifice and encrypt away? You know, the standard way.

DNSSEC has it uses, but heck, well documented problems as well. It can certainly work for .gov, where single entity is verifying and certifying domain keys.

Re:HOORAY. This is a GOOD THING. (0)

Anonymous Coward | about 6 years ago | (#25108521)

Easily? Did you read the text behind the link yourself?

Heh man... look at the name on the paper and his /. login... This guy *wrote* that piece of garbage in 2002, revised it in 2007... He's been delusional for at least 6 years, trying to get a non existing problem fixed.

What's wrong with using plain LDAP to fetch a certificate, verify certifice and encrypt away? You know, the standard way.

Absolutely nothing. Works like a charm.

Re:HOORAY. This is a GOOD THING. (1)

gkuz (706134) | about 6 years ago | (#25108873)

If I type in "irs.gov", I want to go to "irs.gov"

It's 2008. Does anybody type URL's any more?

Look at that Bush administration go! (-1, Flamebait)

tjstork (137384) | about 6 years ago | (#25103383)

Making the Internet safe for Democracy. What a great thing Bush has done. I haven't seen Obama call for securing .gov. Bush is so great.

How not to worry about the online IRS security... (1)

Notquitecajun (1073646) | about 6 years ago | (#25103501)

File by paper, particularly if you have to pay out. You get it in the mail and your money stays in your account earning you a little more interest for a few more days.

Re:How not to worry about the online IRS security. (1)

The Dancing Panda (1321121) | about 6 years ago | (#25104393)

Because we all know physical mail is impervious to man-in-the-middle attacks.

Not so fast! (3, Interesting)

duplo1 (719988) | about 6 years ago | (#25103691)

My understanding is that unless DNSSEC is implemented in the last mile resolvers (e.g. my ISP), it doesn't buy a whole lot, especially when it comes to preventing cache poisoning attacks. Moreover, according to RFC4035, delegation records and glue records aren't subject to public key verification (i.e. not signed), so DNSSEC could still be vulnerable. Until DNSSEC is pushed out to the end user to the point that are browsers are performing signature verification, I don't think it's going to buy us the security we're looking for. Even then, with PKI being notoriously difficult to implement, I'm sure it will be botched and somebody will find ways to poison public key registries with fake public keys, etc.

Re:Not so fast! (1)

amorsen (7485) | about 6 years ago | (#25104301)

My understanding is that unless DNSSEC is implemented in the last mile resolvers (e.g. my ISP), it doesn't buy a whole lot, especially when it comes to preventing cache poisoning attacks.

DNSSEC was written with the explicit goal of not having to trust or upgrade servers in the middle. Your machine needs to to the DNSSEC verification itself. Not the browser, or you would only have secured the browser. Not the last mile resolver, as you call it, because you can't trust that.

maybe they can work out how to archive emails next (1)

toby (759) | about 6 years ago | (#25104073)

Since accountability evasion has proven notoriously hard [google.ca] to fix, and shows every sign of being an ongoing problem. [google.ca]

Good for IPv6 adoption? (1)

Gamma746 (1361063) | about 6 years ago | (#25104581)

Since IPv6 addresses are more or less impossible to remember, (especially to the average user) being able to trust hostnames would really help security-wise.

Scam Artist (0)

Anonymous Coward | about 6 years ago | (#25104637)

"When you file your taxes online, you want to be sure that the Web site you visit â" www.irs.gov â" is operated by the Internal Revenue Service and not a scam artist."

This sentence confuses me! It seems to imply some distinction between "IRS" and "scam artist" of which I am unaware.

Why not DNSCurve? (1)

feld (980784) | about 6 years ago | (#25104651)

I'm not here to give DJB a handjob, but I do think his idea of DNSCurve is quite brilliant.

http://dnscurve.org/ [dnscurve.org]

Why this is a bad example (3, Informative)

OpenYourEyes (563714) | about 6 years ago | (#25104745)

Ignoring if DNSSEC is good or not, this is a pretty bad example of why to do this. Nobody goes to irs.gov to file their taxes. Instead, they go to a third-party (like Quicken, as just one example) who will file their taxes with the IRS. This was part of a deal worked out many years ago - in exchange for the IRS not providing its own e-file solutions, the third-party companies would have to provide free online e-filing (but would still, of course, be able to sell their own software to do the same thing).

HTTPS? (1)

supernova_hq (1014429) | about 6 years ago | (#25105495)

Could someone please explain the difference between what they are doing and simply installing SSL Certs?
This sounds a lot like non-news to me...

Re:HTTPS? (1)

Simon (S2) (600188) | about 6 years ago | (#25106259)

https certs, if implemented correctly, grant end to end encryption and authentication from one endpoint to another (usually your browser and the server you connect to): you know who you are talking to and the stuff you send is encrypted.
dnssec, on the other hand, "guarantees" you, that the DNS entry of www.example.org you get back from the DNS server is unadulterated and legitimate.
You are right with your assumption that dnssec doesn't add anything new: if https is implemented and used correctly, you are already "secure".

Oh man, do I hope Dan J Bernstein is reading.... (0)

Anonymous Coward | about 6 years ago | (#25106503)

He has certainly mellowed a bit in recent years (he used to come across as an arrogant prick), but he's pretty good at explaining why DNSSEC does NOT solve much, if anything.

what about... (1)

hesaigo999ca (786966) | about 6 years ago | (#25107455)

I know I may be stating the obvious, but we all know that the only way someone can own the name .gov is now if the were able to poison the dns cache on a server you are pinging...so what about for safe keeping I was to let's say, ask for 103.45.3.23 which is the actual server the us government uses.
This would avoid all these problems for posting your taxes online, and it's not like I need to remember a million of these addresses, how about just 1....the one you are needing to post to, make it available online everywhere, so that if people want to feel safer, they can use the number instead of trusting a man in the middle saying what the url resolves to....no?

filing at irs.gov (1)

socsoc (1116769) | about 6 years ago | (#25107575)

Since when does www.irs.gov allow you to file taxes? Last I checked, they only list other sites that allow you to file... None of which are .gov.

DNSSEC is not the solution (1)

root777 (1354883) | about 6 years ago | (#25107653)

Authentication should not be performed at the DNS level. Spoofing needs to be prevented at the application layer instead. Is DNSSEC help me verify and validate my IM buddies? What about P2P or for that matter any other distributed systems or for large scale online apps such as YouTube. Are we trying to force a square peg into a round hole here? Sure DNSSEc would upgrade the whole infrastructure space but like anything else, implementation is the key.

You 1nsensitive clod. (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#25108247)

share, this News

SQL in the HTML! (1)

Plugh (27537) | about 6 years ago | (#25110391)

Maybe someone will finally fix the apparent glaring security hole [nhliberty.org] in New Hampshire's .gov website [state.nh.us] .
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?