homepage Welcome to WebmasterWorld Guest from 54.196.195.158
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Five Year-Old DNS Flaw Remains Unplugged Amongst Major U.S. Companies
engine




msg:4540665
 6:15 pm on Jan 30, 2013 (gmt 0)

Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC ) to alleviate this threat. Five Year-Old DNS Flaw Remains Unplugged Amongst Major U.S. Companies [networkworld.com]
While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks.
"For whatever reason, the importance of securing their DNS has not raised itself up to a high enough level of priority for these organizations," says Mark Beckett, vice president of marketing for Secure64. "Perhaps they don't know there is a hole in the DNS and that if it is attacked, their customers could have their personal or financial information compromised."

 

ergophobe




msg:4540744
 9:49 pm on Jan 30, 2013 (gmt 0)

Interesting - just did site: search on some big hosting services and overwhelmingly the search returns no results.

Anyway, this is sort of like DKIM is for email, but DKIM implementation is simple if you have the privileges to edit your zone records. But I don't think it's so simple to implement DNSSEC. Whereas email servers are looking for DKIM and SPF verification, browsers aren't looking for anything except when you access a site with https and the cert can't be validated.

And then there's this based on the huge number of DoS attacks coming through Cloudflare's DNS service:

Ironically, DNSSEC is currently making some DNS reflection attacks worse because of the large amount of data that DNSSEC can return.

[blog.cloudflare.com...]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved