- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
When you file your taxes online, you want to be sure that the Web site you visit -- www.irs.gov -- is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency.
That’s because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet’s DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites.
DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
(See "Spammers, crammers, fraudsters and identity stealers: The FTC’s top 2008 cases".)
With DNSSEC deployed, federal Web sites “are less prone to be hacked into, and it means they can offer their services with greater assurances to the public,’’ says Leslie Daigle, Chief Internet Technology Officer for the Internet Society. "DNSSEC means more confidence in government online services.’’
The U.S.’s government DNSSEC mandate is "significant,’’ says Olaf Kolkman, a DNSSEC expert and director of NLnet Labs, a nonprofit R&D foundation in the Netherlands. "First, the tool developers will jump in because there is the U.S. government as a market….Second, there is suddenly a significant infrastructure to validate against.’’
The White House DNSSEC mandate comes just weeks after the July disclosure of one of the most serious DNS bugs ever found.
The Kaminsky bug -- named after security researcher Dan Kaminsky who discovered it -- allows for cache poisoning attacks, where a hacker redirects traffic from a
legitimate Web site to a fake Web one without the user knowing. (See "How the feds are locking down their networks.")
White House officials said their DNSSEC mandate has been in the works since February 2003, when the Bush Administration released its National Strategy to Secure Cyberspace. The cybersecurity strategy, which was prompted by the Sept. 11, 2001, terrorist attacks, included the goal of securing the DNS.
Rss FeedRss Feed
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (9)
Ironic, given Feds anti-crypto rules in the 1990s delayed DNSSECBy billstewart on September 27, 2008, 6:13 pmThe Feds have been the biggest obstacle to getting DNSSEC widely implemented. Part of this was during the Crypto Rights Wars of the 1990s, but since then they've...
Reply | Read entire comment
2LD vs. 3LD, etc. not a problemBy billstewart on September 27, 2008, 5:56 pmIn fact most government web sites aren't at the second level - many are at the third level, like www.example.gov, and state websites might be below that, like www.example.ca.gov....
Reply | Read entire comment
FYI Not really true here either.By Anonymous on September 24, 2008, 12:30 pmNot all government web sites are on the second level of DNS, which is what OMB is requiring. Not to mention that not all government web sites end or are serviced...
Reply | Read entire comment
Misleading statementBy Anonymous on September 24, 2008, 7:32 amThis statement is not quite true "With DNSSEC deployed, federal Web sites “are less prone to be hacked into". DNSSEC actually prevents redirect/session hijacking...
Reply | Read entire comment
And all those "open" DNS vendors?By unclesmrgol on September 22, 2008, 6:49 pmEurope has been laboring mightily to build a capability parallel to the US-provided root domain structure. I'm wondering where they are in this whole effort to...
Reply | Read entire comment
View all comments