Welcome to WebmasterWorld Guest from 54.224.78.106

Forum Moderators: buckworks & webwork

Message Too Old, No Replies

ICANN To Change Cryptographic Key Pairs For The First Time

     
4:32 pm on Sep 20, 2016 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:24080
votes: 499


ICANN was explaining about good security practice of changing cryptographic keys to help protect against redirected traffic, and then went on to say that it has never yet changed the key, so this is a step forward. It says it want to do this when everything is "normal" and there is no kind of "emergency." The cryptographic key switch-over will take around two years to complete.


The key pair at the top of this chain, or the Root Zone Signing Key, is what ICANN is changing for the first time.

“If you had this key, and were able to, for example, generate your own version of the root zone, you would be in the position to redirect a tremendous amount of traffic,” Larson said.

“We want to roll the key because it's good cryptographic hygiene,” he added. ICANN To Change Cryptographic Key Pairs For The First Time [motherboard.vice.com]
7:06 pm on Sept 20, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8049
votes: 287


It seems like this announcement should be made *after* the changes were made, not prior since it will take two years to complete.
9:10 am on Sept 23, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 14962
votes: 125


They need to let everyone know the keys are changing well in advance so that software and hardware vendors can prepare for the switch.
9:37 am on Sept 23, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:8049
votes: 287


I understand, but with this announcement aren't they in effect saying "you have a 2 year window to exploit this vulnerability and funnel traffic where you want."
11:48 pm on Sept 23, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts: 14962
votes: 125


It's not a vulnerability. They're just practicing good crypto hygiene by cycling the keys. While they're doing that they're also increasing the key size. There's no real threat to their current 1024-bit key now, but they're increasing the size just to be safe. This is really just routine key maintenance. Kind of boring actually. The interesting aspect of the story is that these are the keys that the entire Internet rely on, and they haven't been cycled before.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members