Archive for September, 2011

The Email Admin blog urged organizations to consider DNSSEC as a solution to some of the most pressing email problems, from span and phishing to creating private emails. In this post, it noted how email administrators could benefit from widespread deployment of DNSSEC:

What’s good about DNSSEC is that it can be used beyond just authenticating website traffic. That Internet-wide authentication database created by the technology could also be used to authenticate email certificates. Those certificates would go a long way in reducing spam, muzzling phishing attacks and enabling private email—email that’s encrypted and can only be decrypted by its intended recipient. In order for that to happen, however, DNSSEC needs to be adopted throughout the cyberspace food chain—from those at the top of the domain structure to the ISPs to the browser and client makers.

Google’s Adam Langley reports on his Imperial Violet blog that all Chrome users now have DNSSEC-authenticated HTTPS in Chrome now that Chrome 14 is stable. The experimental feature “allows sites to use DNSSEC, rather than traditional, certificates and is aimed at sites which currently use no HTTPS, or self-signed certificates.” He also has documented the serialisation format.

The U.S. Department of Defense has authorized its Network Information Center to sign the .mil zone with DNSSEC, it was announced. The move is a major step forward in the U.S. government’s efforts to deploy DNSSEC across its domains.

Limited to use by the U.S. military, the .mil top-level domain will be signed over a three-month period, starting with an unvalidatable key and progressing to publication of the .mil key to allow validation across the Internet. The tentative timeline calls for the zone to be signed by December 12, 2011.

The .mil is a sponsored TLD and was one of the first top-level domains, created in January 1985.  The U.S. is the only country with a top-level domain for its military.

A man-in-the-middle attach targeting Iranian users of Gmail left them vulnerable to having their logins stolen, and prompted discussion of DNSSEC’s security protocols. In “Google Users in Iran Targeted in SSL Spoof,” CNet News notes that DNSSEC offers an alternative to validating legitimate sites. From the article:

“The SSL ‘race to the bottom’ CA model is broken. Fraudulent certificates have been issued before, even without breaching a CA’s systems,” Johannes B. Ullrich, dean of research at the SANS Technology Institute, wrote in a blog post today. “But what can you do to replace or re-enforce SSL?”

DNSSEC (Domain Name System Security) can provide another way to validate that a site is legitimate, but it is not perfect, either, he said. In addition, there are browser plug-ins that implement reputation systems. One plug-in that has gained traction is Convergence, which works with Firefox and compares the certificate with other certificates received from the same site, he said.