Slashdot Log In
Feds Tighten DNS Security On .Gov
Posted by
CmdrTaco
on Mon Sep 22, 2008 08:11 AM
from the totally-safe-we-promise dept.
from the totally-safe-we-promise dept.
alphadogg writes "When you file your taxes online, you want to be sure that the Web site you visit — www.irs.gov — is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency. That's because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet's DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites. DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption."
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Just what they want you to think (Score:4, Insightful)
The easiest way entrap a victim is to promote a feeling of security.
Nothing says 'rob me blind' than 'trust us'.
Re:Just what they want you to think (Score:5, Funny)
Which is why this originated from the IRS.
Parent
A bar decides to have a contest about ... (Score:5, Funny)
who can squeeze every last drop of juice out of a lemon. So, the local strong guys line up and try....
The first guy, a big burly construction guy give it a try and squeezes the lemon so that nothing comes out.
A big body builder guy walks up and squeezes some more drops out but then nothing.
Another big guy shows up and nothing. Just as the bartender was about to announce a winner, a small, bespectacled fellow wearing a business suit walks up and says in a mousy voice, "Let me try."
Laughter ensues around the bar and they hand him the lemon. He squeezes and out pours more juice and he's declared the winner. The body builder asks, "How did you do that ?!?"
The little guy answers, "I work for the IRS."
Parent
Re:Just what they want you to think (Score:5, Funny)
On a similar note,
Wait, those are two different things?
Parent
Re:Just what they want you to think (Score:4, Funny)
The IRS is not a scam artist... it is a protection racket.
And generally, yeah, you want to make sure you pay the right guy in a protection racket.
Parent
Re: (Score:2)
Paranoia modded up as insightful - yeah, what I'm talking about, this is Slashdot. Seemingly lacking touch with "real life" (tm).
Re: (Score:2)
Nothing says 'rob me blind' than 'trust us'.
Everyone trusts them that it is the law that you must file your tax return. Wouldn't that violate the 5th amendment? [wikipedia.org]
...nor shall be compelled in any criminal case to be a witness against himself...
You can be criminally charged for not filing your taxes and for filing your taxes incorrectly.
However, I must stress that you should pay your taxes because the IRS probably has more guns, lawyers and judges than you do!
Re:Just what they want you to think (Score:5, Insightful)
"you can be confident that every U.S. government Web page is being served up by the appropriate agency."
The easiest way entrap a victim is to promote a feeling of security.
I would venture a guess: any visitor to *.gov who doesn't know what a packet is (i.e. at least 95% of the public) will already feel secure. Also, since the difference between secure DNS and insecure DNS will be absolutely invisible to them (presumably), they won't feel any more or less secure now. Or they won't know what the difference between the green padlock and the yellow padlock is. At any mention of the secure DNS in the press, these 95% of visitors will have forgotten about it the next day [just as I might].
Bottom line: no one who doesn't deal with computers either professionally or as a hobby will notice. Their feeling of security will be unaffected.
Parent
Glad they fixed that (Score:2, Insightful)
Spam Can Bypass God (Score:2, Funny)
Yes, but with this handy +4 magic marker, spammers can bypass the multi-trillion dollar infrastructure and pwn your inbox.
IRS vs. Scam Artists? (Score:2)
Re: (Score:2)
Comme ci, comme ca. (the c with an Cedille, but Slashdot doesn't know how to print that.)
Re: (Score:3, Informative)
(you need to use HTML character entities: "comme ça". Slashdot only supports some—a fairly arbitrary subset—of these.)
Re: (Score:2)
A ce façon?
Re: (Score:2)
Re: (Score:2)
Not that I'm an expert but given that it is a quotation the sentence, while technically not correct, could very well accurately represent what Mr. Beckett said or wrote. Please post a link to the quote on a reputable site so we can figure out which version is correct.
Why do I don't think it'd help? (Score:2)
It sounds like a good idea... Why do I feel that this is a user problem though that won't be fixed by a techy fix?
When I read the headline, I thought that they were going to make sure everyone that uses the .gov domain was an actual government agency and not scam artists... That's some thing I'd hope that they are doing now, but I wouldn't hold my breath on it.
The thing is this won't stop a stupid person from following irs-im-a-stupid-user-.com, .tv, .org, or .net.
How About They.. (Score:5, Informative)
They really need to crack down more on sites like this one: http://www.usagc.org/ [usagc.org] while they're at it.
WIN A FREE GREEN CARD! SIGN UP NOW FREE!*
* $100 entry fee.
Good for opportunistic encryption (Score:5, Interesting)
If my memory is correct, DNSSEC is one of the prerequisites for making opportunistic encryption easier to deploy widely. I hope this catches on and becomes more widespread.
Re: (Score:2)
Totally agree that things like opportunistic encryption would be great, although I'm sure we'll get to see a lot of bugs and issues first before things get better.
Now if only... (Score:3, Insightful)
Re: (Score:2)
100% of what is collected is absorbed solely by interest on the Federal Debt ... all individual income tax revenues are gone before one nickel is spent on the services taxpayers expect from government.
-Grace Commission report submitted to President Ronald Reagan - January 15, 1984
I'm sure I'll now be called crazy for simply reading a public document released by our own government.
How useful is DNSSEC w/o top-level signed? (Score:5, Interesting)
I've been told that DNSSEC is basically just a proof of concept when it's done on a single TLD, not providing much real security. If I understood it right, the main attack DNSSEC is intended to prevent is a man-in-the-middle returning a fake response to your computer's (or your ISP's computer's) DNS query, a fake that it accepts in place of the real response.
If so, then when your ISP queries one of the thirteen root servers for the .gov authority, the attacker could still return a fake response and set himself up as the DNS authority for .gov, at least as far as your ISP knew.
Anyone know how plausible that attack remains? Knowledgeable responses welcome :)
Of course, part of getting DNSSEC set up for the whole internet is seeing how well it plays out in real-world testing, and .gov is the logical place to start. I assume once any kinks are discovered from this rollout, we'll be one step closer to enabling it on the root servers, which will allow any TLD to achieve a real security gain.
Re:How useful is DNSSEC w/o top-level signed? (Score:5, Informative)
I've been told that DNSSEC is basically just a proof of concept when it's done on a single TLD, not providing much real security. [...] If so, then when your ISP queries one of the thirteen root servers for the .gov authority, the attacker could still return a fake response and set himself up as the DNS authority for .gov.
That would be my exact understanding as well.
The details are these: Every node in the DNS tree has a key pair. Everybody knows the public key of the root. Every response to a request contains an answer, and a signature on that answer. As an additional request, you can ask for public keys too.
So, here's the scenario for going to whitehouse.gov, assuming full deployment of DNSSEC:
This secures step 4. Step 2 is still not secured. Paul Vixie has given some good talks on DNSSEC and everything else that's wrong with the interwebs ;) See http://www.usenix.org/events/lisa05/tech/mp3/vixie.mp3 [usenix.org]. You may also like http://media.defcon.org/dc-13/audio/2005_Defcon_V7-Paul_Vixie-The_Internets_March_of_Folly.mp3 [defcon.org].
Parent
Re: (Score:2)
1. Ask root for whitehouse.gov 2. Receive IP of nameserver for .gov [check its signature]. Root may opt to give you the public key of .gov, otherwise ask for it and its check signature.
3. Ask .gov for whitehouse.gov
4. Receive IP of whitehouse.gov [check sig]. Also, .gov may opt to give you the public key of whitehouse.gov
5. Connect, now you know where to go :)
Ah, but it's more fun if you wind up at whitehouse.com
Re: (Score:2)
You are mostly correct, actually it's even worse.
This creates a false sense of security, because DNSSEC only works for those that support it and only works automatically for those TLD's that have it setup.
There is something called DNSSEC Look-aside Validation (DLV) which DNS-admins can use to validate manually setup validation of a tld or in this case .gov, but I doubt anyone will do it.
The only good thing is the software and procedures get tested better if .gov also starts using it.
And maybe ever DNS-admin
Re: (Score:3, Informative)
This can deal with the Chicken-and-egg problem (Score:4, Informative)
This is a classic chicken-and-egg problem. The good news is that the U.S. government _CAN_ require that its OWN sites implement DNSSEC - and once that's done, people who deal with those sites (most U.S. citizens) will have a reason to install DNSSEC and the relevant
What will probably happen is that there will be a Firefox plug-in (if there isn't already) that supplies these keys, and slowly browsers will add support for all this. The result: Accessing these sites will become more secure, over time. Good thing.
Parent
Re: (Score:3, Informative)
yes, there is one:
http://www.nlnetlabs.nl/dnssec/drill_extension.html [nlnetlabs.nl]
Re:How useful is DNSSEC w/o top-level signed? (Score:5, Informative)
First, to answer your question regarding the plausibility: there are a few scenarios in which it is possible. The most likely scenario is that you're on the same local network as an attacker so that he/she can intercept your DNS traffic and forge replies. This might be the case when you're using the wireless provided at a coffee shop, for instance. There exist automated tools to make this simple, and I would consider this the biggest vector of attack. The only other case I can think of is that an attacker has control of a router between you and the root servers. While this is technically possible, I would personally regard it as fairly infeasible for the average attacker. If you're in $THIRD_WORLD_COUNTRY and the mob controls internet access, you might have something to worry about.
I'm involved with a project called SecSpider [ucla.edu] that monitors the deployment of DNSSEC. We use a distributed network of pollers around the world to collect RRsets from all known DNSSEC-enabled zones. One of the reasons we use pollers from different locations is to detect attacks such as either of the two listed above, more likely the latter. If any attack were to occur, we stand the best chance of detecting it. We have been monitoring since 2005 and have yet to see such an attack.
An additional benefit of collecting all these RRsets is that we have what we call a "world-wide perspective" on DNSKEYs. Whenever we collect a set of DNSKEY RRsets from a zone, if the set is consistent across pollers, we add it to our DLV repository. A DLV (DNSSEC lookaside validation) resource record is very similar to a DS (delegation signer) record. It contains a cryptographic hash of the DNSKEYs served by a zone so that the zone's integrity can be checked. However, instead of being served by the zone's parent, it can be served by anyone.
The typical way in which a resolver detects if a zone is secure is by tracing a secure delegation from the root. Instead of the typical manner of starting at the root and querying recursively for NS records, the resolver queries for both NS and DS records. Then when it queries one of the nameservers listed in the NS records, it asks for the DNSKEYs and verifies them using the DS record. In this way, it is possible to build a chain of trust that leads all the way back to the root nameservers.
Unfortunately, without the root being signed, this process will not work. One alternative is to configure your resolver to query for DLV records to bootstrap the process. When your resolver queries a zone for DNSKEY RRs, it will also query the DLV repository for a DLV recording matching that zone. It will then attempt to cryptographically verify the DNSKEYs using that record. If it verifies, you know that someone you trust thinks your DNSKEYs are right, side-stepping the typical chain of trust (thus the name: "lookaside"). If you were to configure your resolver to use our repository, you would be able to verify if the DNSKEYs you receive are the same as the DNSKEYs being seen by all of our pollers around the world. Not perfect security, but definitely an improvement on the current situation.
If you're interested in the details of our project, you can check out our web site or ask me for more details. We have information on how to use our repository in our FAQ [ucla.edu].
You mention the notion of real-world testing of DNSSEC. It's worth noting that there are actually several TLDs that are currently signed (mostly ccTLDs), as well as a large number of second-level domains. gov is hardly the first, but it should definitely be the highest-profile rollout to date. We're currently waiting with bated breath to see the outcome.
Parent
SSL, anyone? (Score:3, Insightful)
What does DNSSEC buy me if I use https?
And if irs.gov isn't supporting https, wouldn't that be the place to start, rather than DNSSEC?
Re: (Score:2)
They would have been a lot better of going https with extended validation certificates and widely publishing the fact that with a modern browser you should see a green address bar, that would have ensured that dns spoofing and man in the middle attacks would be detected.
Re: (Score:2)
The 2 things are orthogonal to each other. DNSSEC insures that the site you go to is ACTUALLY the site you wanted to go to.
HTTPS just encrypts the traffic to/from that site once you get there.
In principle an SSL cert insures that the site is what it claims to be, but there are so many possible ways to fool people on that score that it really isn't all that effective.
Besides, if someone subverts DNS, then basically all bets are off anyway because at that point they have the ability to make any particular URL
Re: (Score:2)
Not true. HTTPS also includes a certificate-based indentifying system. Otherwise it would be pretty worthless, as nothing would stop a man in the middle from intercepting the initial contact attempt.
Re: (Score:2)
More precisely, SSL/TLS authenticates the server you are talking to based on it's domain name and the certificates common name provided one of the following is true:
Re: (Score:2)
Actually unless BOTH the client and server must present certificates (which is not supported by any web site I know of) then a MITM attack is PERFECTLY feasible over SLL.
It is true that if I'm 'evil hacker' and I spoof your DNS for say www.irs.gov then I have a problem that if that URL is HTTPS I don't have a copy of their SSL certificate and I can't get one that will work without a pop up warning.
HOWEVER that is rarely the case, home pages are always straight HTTP. So evil hacker can now present me with an
Re: (Score:2)
It's cheaper to include a new Authority in the browser than change the whole DNS system worldwide.
Re: (Score:2)
Sure, but if I control your DNS I can just patch your browser to do whatever I want... So for example I can install my own root cert.
DNS HAS to be secure, all other aspects of security on the net indirectly depend on the integrity of DNS, and once that is gone, then you have already lost all other battles. Its game over.
Scam (Score:3, Informative)
www.irs.gov is operated by a scam artist
There, fix that for you.
I wish they had thought of that (Score:3, Funny)
Oh no (Score:2)
So when I went to the IRS site to pay my taxes and it said I was the 1 millionth visitor and won an iPhone, that wasn't real? Now I kno why I've been waiting months for this thing to come in the mail.
HOORAY. This is a GOOD THING. (Score:4, Insightful)
How not to worry about the online IRS security... (Score:2)
Re: (Score:2)
Not so fast! (Score:3, Interesting)
Re: (Score:2)
My understanding is that unless DNSSEC is implemented in the last mile resolvers (e.g. my ISP), it doesn't buy a whole lot, especially when it comes to preventing cache poisoning attacks.
DNSSEC was written with the explicit goal of not having to trust or upgrade servers in the middle. Your machine needs to to the DNSSEC verification itself. Not the browser, or you would only have secured the browser. Not the last mile resolver, as you call it, because you can't trust that.
maybe they can work out how to archive emails next (Score:2)
Why this is a bad example (Score:4, Informative)
Re: (Score:3, Insightful)
Why? Don't we have enough laws that attempt to legislate technology? Yes it's a desirable technology, but do we really need to be chained to it with a law that two decades from now will solely be an obstacle to implementing the next new desirable technology?
Banks and other businesses will move to it once they see a good business case in doing so. Let that decide matters.
Please understand, I'm not a laissez faire sort of fellow most of the time. But if you have the government start trying to decide how the c
Re: (Score:3, Insightful)