Slashdot Mirror
Feds Tighten DNS Security On .Gov
alphadogg writes "When you file your taxes online, you want to be sure that the Web site you visit — www.irs.gov — is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency. That's because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet's DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites. DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption."
"you can be confident that every U.S. government Web page is being served up by the appropriate agency."
The easiest way entrap a victim is to promote a feeling of security.
Nothing says 'rob me blind' than 'trust us'.
If only we could fall into a woman's arms without falling into her hands
Now I can be sure I'm giving the IRS my money and not some other scam artist. I mean, not some scam artist. (:
Yes, but with this handy +4 magic marker, spammers can bypass the multi-trillion dollar infrastructure and pwn your inbox.
The dangers of knowledge trigger emotional distress in human beings.
Come se come sa
Use your head, can't you, use your head,
You're on earth, there's no cure for that - S. Beckett
It sounds like a good idea... Why do I feel that this is a user problem though that won't be fixed by a techy fix?
When I read the headline, I thought that they were going to make sure everyone that uses the .gov domain was an actual government agency and not scam artists... That's some thing I'd hope that they are doing now, but I wouldn't hold my breath on it.
The thing is this won't stop a stupid person from following irs-im-a-stupid-user-.com, .tv, .org, or .net.
They really need to crack down more on sites like this one: http://www.usagc.org/ while they're at it.
WIN A FREE GREEN CARD! SIGN UP NOW FREE!*
* $100 entry fee.
MABASPLOOM!
If my memory is correct, DNSSEC is one of the prerequisites for making opportunistic encryption easier to deploy widely. I hope this catches on and becomes more widespread.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Now, if only we could be confident about exactly where our taxes are going...
I've been told that DNSSEC is basically just a proof of concept when it's done on a single TLD, not providing much real security. If I understood it right, the main attack DNSSEC is intended to prevent is a man-in-the-middle returning a fake response to your computer's (or your ISP's computer's) DNS query, a fake that it accepts in place of the real response.
If so, then when your ISP queries one of the thirteen root servers for the .gov authority, the attacker could still return a fake response and set himself up as the DNS authority for .gov, at least as far as your ISP knew.
Anyone know how plausible that attack remains? Knowledgeable responses welcome :)
Of course, part of getting DNSSEC set up for the whole internet is seeing how well it plays out in real-world testing, and .gov is the logical place to start. I assume once any kinks are discovered from this rollout, we'll be one step closer to enabling it on the root servers, which will allow any TLD to achieve a real security gain.
What does DNSSEC buy me if I use https?
And if irs.gov isn't supporting https, wouldn't that be the place to start, rather than DNSSEC?
Don't thank God, thank a doctor!
www.irs.gov is operated by a scam artist
There, fix that for you.
\u262D = \u5350
Before I took up their cash-in hand job offer to deliver a package to their embassy in Islamabad. I've started to wonder whether the ticking really is an alarm clock. ;-)
who can squeeze every last drop of juice out of a lemon. So, the local strong guys line up and try....
The first guy, a big burly construction guy give it a try and squeezes the lemon so that nothing comes out.
A big body builder guy walks up and squeezes some more drops out but then nothing.
Another big guy shows up and nothing. Just as the bartender was about to announce a winner, a small, bespectacled fellow wearing a business suit walks up and says in a mousy voice, "Let me try."
Laughter ensues around the bar and they hand him the lemon. He squeezes and out pours more juice and he's declared the winner. The body builder asks, "How did you do that ?!?"
The little guy answers, "I work for the IRS."
So when I went to the IRS site to pay my taxes and it said I was the 1 millionth visitor and won an iPhone, that wasn't real? Now I kno why I've been waiting months for this thing to come in the mail.
In a world of acronyms, the words are the real victims.
This won't solve all the problems of the universe, but this is a GOOD THING. Securing DNS is absolutely critical to making the Internet a safer place. If I type in "irs.gov", I want to go to "irs.gov", not some spam site, and this helps me get there. DNSSEC can provide IP addresses with a strong guarantee that the IP addresses are actually correct. DNSSEC can even provide other keys, and make it possible to EASILY send secure emails without having to do a key exchange ahead-of-time. See, for example: http://www.dwheeler.com/essays/easy-email-sec.html
- David A. Wheeler (see my Secure Programming HOWTO)
File by paper, particularly if you have to pay out. You get it in the mail and your money stays in your account earning you a little more interest for a few more days.
My understanding is that unless DNSSEC is implemented in the last mile resolvers (e.g. my ISP), it doesn't buy a whole lot, especially when it comes to preventing cache poisoning attacks. Moreover, according to RFC4035, delegation records and glue records aren't subject to public key verification (i.e. not signed), so DNSSEC could still be vulnerable. Until DNSSEC is pushed out to the end user to the point that are browsers are performing signature verification, I don't think it's going to buy us the security we're looking for. Even then, with PKI being notoriously difficult to implement, I'm sure it will be botched and somebody will find ways to poison public key registries with fake public keys, etc.
You're quite right, it's perfectly secure if the client systems have the .gov TLD public key. And almost no one does, today. Of course, no one will bother trying to get DNSSEC or these keys until there's something to verify.
.gov keys.
This is a classic chicken-and-egg problem. The good news is that the U.S. government _CAN_ require that its OWN sites implement DNSSEC - and once that's done, people who deal with those sites (most U.S. citizens) will have a reason to install DNSSEC and the relevant
What will probably happen is that there will be a Firefox plug-in (if there isn't already) that supplies these keys, and slowly browsers will add support for all this. The result: Accessing these sites will become more secure, over time. Good thing.
- David A. Wheeler (see my Secure Programming HOWTO)
Since accountability evasion has proven notoriously hard to fix, and shows every sign of being an ongoing problem.
you had me at #!
Because we all know physical mail is impervious to man-in-the-middle attacks.
Since IPv6 addresses are more or less impossible to remember, (especially to the average user) being able to trust hostnames would really help security-wise.
Why? Don't we have enough laws that attempt to legislate technology? Yes it's a desirable technology, but do we really need to be chained to it with a law that two decades from now will solely be an obstacle to implementing the next new desirable technology?
Banks and other businesses will move to it once they see a good business case in doing so. Let that decide matters.
Please understand, I'm not a laissez faire sort of fellow most of the time. But if you have the government start trying to decide how the core mechanics of the internet work, and I guareentee you whatever small benefit you gain from the initial decision will be drowned out by the stagnation that results later on.
I'm not here to give DJB a handjob, but I do think his idea of DNSCurve is quite brilliant.
http://dnscurve.org/
Ignoring if DNSSEC is good or not, this is a pretty bad example of why to do this. Nobody goes to irs.gov to file their taxes. Instead, they go to a third-party (like Quicken, as just one example) who will file their taxes with the IRS. This was part of a deal worked out many years ago - in exchange for the IRS not providing its own e-file solutions, the third-party companies would have to provide free online e-filing (but would still, of course, be able to sell their own software to do the same thing).
Don't we have enough laws that attempt to legislate technology?
This isn't aout legislating technology, it's about protecting Grandma fro the bankers who don't give a rat's patoot whether or not Grandma gets stolen from.
Banks and other businesses will move to it once they see a good business case in doing so
Yes, THEIR interest. I don't care about their interest, I want protection against them. THEIR interest is what has caused the current banking crisis; deregulation has a large part of the current problem.
I wouldn't say "pass a law mandating this technology", I'd say pass a law making them responsible for keeping your identity safe. They can use whatever tech they want, but if somebody phishes Grandma because their security is lax, Grandma should collect triple damages. You can bet your ass they would impliment the strongest measures available. As it is now, they have no incentive whatever to keep grandma safe from their errors.
Free Martian Whores!
Their incentive is the fact that they are already on the hook for Grandma's money if she's scammed.
And as an aside, you do realize that our current crisis
Putting the blame soley on one part of the equation is rather short sighted and dangerously close to enabling the whole thing to happen all over again when someone decides that a patch on one section is enough to keep the whole shakey setup going.
Could someone please explain the difference between what they are doing and simply installing SSL Certs?
This sounds a lot like non-news to me...
I know I may be stating the obvious, but we all know that the only way someone can own the name .gov is now if the were able to poison the dns cache on a server you are pinging...so what about for safe keeping I was to let's say, ask for 103.45.3.23 which is the actual server the us government uses.
This would avoid all these problems for posting your taxes online, and it's not like I need to remember a million of these addresses, how about just 1....the one you are needing to post to, make it available online everywhere, so that if people want to feel safer, they can use the number instead of trusting a man in the middle saying what the url resolves to....no?
Since when does www.irs.gov allow you to file taxes? Last I checked, they only list other sites that allow you to file... None of which are .gov.
Authentication should not be performed at the DNS level. Spoofing needs to be prevented at the application layer instead. Is DNSSEC help me verify and validate my IM buddies? What about P2P or for that matter any other distributed systems or for large scale online apps such as YouTube. Are we trying to force a square peg into a round hole here? Sure DNSSEc would upgrade the whole infrastructure space but like anything else, implementation is the key.
Yeah, but it is a bloated, bureaucratic lap dog.
Their incentive is the fact that they are already on the hook for Grandma's money if she's scammed.
No, I'm afraid you're wrong. I had my car, a book of checks, and my bank card stolen. The woman who stole these things had watched me punch in the PIN number over my shoulder; she was NOT authorized to dip into my account.
The police recovered the car, the bank made good on the forged checks, but not the debit card; if someone has your PIN number, no matter how they get it, they are authorized.
I no longer use a debit card because of that.
And as an aside, you do realize that our current crisis
Yes, I do. I place the blame solely on the Federal government for failaing to live up to its responsibility to regulate the banking industries. And it WILL happen again. With luck we'll all be dead; the last time this happened was in 1929 (not counting the S&L debacle).
Free Martian Whores!
If I type in "irs.gov", I want to go to "irs.gov"
It's 2008. Does anybody type URL's any more?
And this has to do with the current discussion of "grandma" being scammed by a sophisticated internet banking scam how? Are you claiming DNSSEC would have saved you then? You even pointed out that the bank made good on the items that they were on the hook for. Are you claiming you don't think that the scam that poor grandma would fall for isn't something they would be on the hook for? Have any references for that?
You sound like a teenage me blaming my parents for not being perfect. Why don't we actually blame the people who made the mistakes, who presumably were adults and capable of making their own decisions, rather than blame the guy who half the time gets screamed at for interfering and the other half the time gets screamed at for not interfering.
He is giving an example an attacker getting access to his debit card and the bank taking no liability for it. You are free to complain about him whining because you think he should be the one liable not the bank (that is a different, irrelevant argument), but the topic of discussion is that the bank customer is liable not the bank. This means the bank has no incentive to improve their security. In fact, better security probably costs more -- at least the cost of paying someone to figure out how to fix problems with their current procedures -- so they have a direct financial incentive to keep the security at the current status quo. Although, if the other banks improve, competition may force them to make changes.
Centralization breaks the internet.
You hit the nail on the head. Not a whine, an example. I solved the problem of never knowing when someone is looking over my shoulder by not having a debit card, problem solved.
Free Martian Whores!
The point of my comment was not to 'complain about him whining because you think he should be the one liable not the bank', and in fact I didn't.
The point of my comment was to point out that simply because that particular hole exists for debit cards it doesn't have anything to do with the issues he's trying to argue we should have laws 'protecting us' from the banks for.
There are laws in place aready to protect us from those issues. Read up on identity theft law and you will see that the banks are on the hook for it. We don't need more laws simply because he's been bitten once someplace else and is now completely paranoid that the rest of the system is out to get him too.
And regarding the whole "cost" issue, I've had friends that worked in Bank IT Security, and not only did they take it seriously, but they certaintly didn't see the situation to be "maintain the status quo, it costs less". Some of these places make the military and government IT departments look like group of first year LUG members.
The problem is, most identity theft isn't through some 'leet' hacker exploiting an issue that DNSSEC only barely protects against, most identity theft is done the same way it was done centuries ago when it was just plain theft. Through social engineering and taking advantage of those who aren't wary. DNSSEC won't fix that. At best it'll make it a tad harder for someone to pretend to be www.example.com, but they don't do that anyway.
Instead they pretend to be www.example.example.org or some other fake domain designed to look right to "grandma". And this doesn't fix that. All DNSSEC fixes is the potential situation where www.example.com's web site is 'taken over' and pointed to someplace else nefarious.
Maybe someone will finally fix the apparent glaring security hole in New Hampshire's .gov website.
Part of the Second American Revolution!
But you can pay a little more and send it certified or registered. That will provide some evidence that you actually sent it. I think that certified just gives you a receipt, but registered is theoretically traceable end-to-end.
un-ALTERED reproduction and dissimination of this IMPORTANT information is ENCOURAGED
http://www.sans.org/reading_room/whitepapers/threats/480.php
Again, from this paper:
This paper examines the mechanics of the SSL protocol attack, then focusses on the
greater risk of SSL attacks when the client is not properly implemented or configured.
One faulty SSL client implementation, Microsoft's Internet Explorer, allows for
transparent SSL MITM attacks when the attacker has any CA-signed certificate. An even
greater risk is posed by unprotected systems where an attacker can preload his/her own
trusted root authority certificates. In public environments such as libraries and computer
labs, there is little to prevent such an attack from taking place. Casual observation of such
places indicates that an attacker would see them as low-risk, high-opportunity
environments.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
It is a good thing I think that the government is adding this extra step of security. While I will never believe anything is crack-proof, the more layers the better, and anything is better than nothing. However, for several years it seems the U.S. Post Office has been going in the wrong direction, because (and I just checked this again) when you navigate to http://www.usps.gov you are automatically redirected to http://www.usps.com. Apparently they want people to think they're a commercial business instead of a government agency. Personally I feel better using sites like irs.gov and usps.gov, because I know they are the real deal, and not some phishing site. (In general of course.)
Instead of redirecting usps.gov to usps.com, they should do the reverse and redirect usps.com to usps.gov. Just my two cents.
And they said zombies weren't real!
Stop behaving like a hysterical hack!
Relying on bugs and physical access (for crissesake) is not an attack on the protocol itself. Esp. when the implementation being discussed is a six year-old version.
Every complex piece of software has bugs, particularly early-on. You seem to think that DNSSEC implementations will somehow be an exception.
Okay, so debit cards are insufficiently protected by the law, but identity theft via website hacking and/or phishing is protected. That sounds like a sane reason to invalidate mcgrew's example.
On the other hand, the assertion that banks care about security strikes me as ridiculous. Why are we still using authentication systems where logging in involves transferring all of the knowledge needed to log in as opposed to some sort of challenge response? Randomly asking security questions helps this a little, but the system is fundamentally broken. Even training the user to be okay typing the information needed to access their bank account into a web browser is a bad idea.
Admittedly, this is not entirely the fault of the bank, although they could at least be using some sort of security token to make phished passwords have a very short lifetime. Stronger security requires browser cooperation. Properly implemented http://en.wikipedia.org/wiki/Digest_access_authentication">digest authentication (different color dialog from the weak basic HTTP auth?) would make phishing worthless -- if you could convince users to only type their password into a safe dialog which seems unlikely unless every website used secure authentication so the browser could warn loudly about any insecure authentication. Support for public key auth would be even better because then the user would never be tempted to type in their password on a phishing site if they did not have one. It has problems with being able to log in from multiple computers because a key has to be setup on each computer, but I suspect that is not an issue for most users because they only bank from one computer anyway. Of course, the key could be stolen by spyware but they spyware could be running a keylogger just a easily.
I believe you that banks put a good amount of effort into their internal security, but most are still using plaintext passwords over HTTPS or some authentication measure of equivalent quality. There does not seem to be a strong focus on actually making identity theft via gaining access to a person's bank login information hard.
That said, DNSSEC does not help much in that area because HTTPS already verifies domains, and someone in the position to poison DNS is probably in position to fake unencrypted/unsigned communications from the bank anyway.
Centralization breaks the internet.