Forgot your password?
typodupeerror
Security The Internet Technology

5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix 313

Posted by Soulskill
from the rome-wasn't-built-in-5-years-either dept.
alphadogg writes "Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC) to alleviate this threat. In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing. While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks. Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is minuscule."
This discussion has been archived. No new comments can be posted.

5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix

Comments Filter:
  • by grasshoppa (657393) <skennedy&tpno-co,org> on Tuesday January 29, 2013 @04:01PM (#42730465) Homepage

    Wrong actually. Security works best when it's simple. Make it too complex, or needlessly complex, and you open yourself up for implementation flaws.

    Security implementation should only be as complex as needed. Added complexity only serves to compromise the security you are trying to achieve in the first place.

  • by gweihir (88907) on Tuesday January 29, 2013 @04:11PM (#42730595)

    If your security depends on DNS working, you are screwed anyways. That is likely the main reason nobody uses DNSSEC: It does solve the wrong problem.

    1. The sane way for remote access it is to require 2-sided authentication on connection, making DNSSEC entirely redundant.
    2. For the open web, things are a bit differently, but there you can land on a malicious page any time and the only solution for that is a not vulnerable browser or a secure browsing environment.

    There is also the small issue that DNSSEC is badly borked and a nightmare to install and maintain. In addition, the other PKI (SSL certs) is badly broken, and there is really no reason the DNSSEC PKI would fare any better if widely deployed. In the long run, it is very likely that DNSSEC is just a waste of time and effort.

"Tell the truth and run." -- Yugoslav proverb

Working...