Feds Tighten DNS Security On .Gov

← Back to Stories (view on slashdot.org)

Feds Tighten DNS Security On .Gov

Posted by CmdrTaco on Monday September 22, 2008 @01:11AM from the totally-safe-we-promise dept.

alphadogg writes "When you file your taxes online, you want to be sure that the Web site you visit — www.irs.gov — is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency. That's because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet's DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites. DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption."

3 of 140 comments (clear)

Min score:

Reason:

Sort:

Just what they want you to think by Punko · 2008-09-22 01:14 · Score: 4, Insightful

"you can be confident that every U.S. government Web page is being served up by the appropriate agency."

The easiest way entrap a victim is to promote a feeling of security.

Nothing says 'rob me blind' than 'trust us'.

--
If only we could fall into a woman's arms without falling into her hands
1. Re:Just what they want you to think by jonaskoelker · 2008-09-22 06:03 · Score: 4, Insightful
  
  "you can be confident that every U.S. government Web page is being served up by the appropriate agency."
  The easiest way entrap a victim is to promote a feeling of security.
  I would venture a guess: any visitor to *.gov who doesn't know what a packet is (i.e. at least 95% of the public) will already feel secure. Also, since the difference between secure DNS and insecure DNS will be absolutely invisible to them (presumably), they won't feel any more or less secure now. Or they won't know what the difference between the green padlock and the yellow padlock is. At any mention of the secure DNS in the press, these 95% of visitors will have forgotten about it the next day [just as I might].
  Bottom line: no one who doesn't deal with computers either professionally or as a hobby will notice. Their feeling of security will be unaffected.
HOORAY. This is a GOOD THING. by dwheeler · 2008-09-22 01:54 · Score: 3, Insightful

This won't solve all the problems of the universe, but this is a GOOD THING. Securing DNS is absolutely critical to making the Internet a safer place. If I type in "irs.gov", I want to go to "irs.gov", not some spam site, and this helps me get there. DNSSEC can provide IP addresses with a strong guarantee that the IP addresses are actually correct. DNSSEC can even provide other keys, and make it possible to EASILY send secure emails without having to do a key exchange ahead-of-time. See, for example: http://www.dwheeler.com/essays/easy-email-sec.html

--
- David A. Wheeler (see my Secure Programming HOWTO)