SOPA and PIPA Raise Substantial Barriers to DNSSEC Adoption, Which will Lead to a Less Secure Internet.
It's been a busy six months in the world of the domain name system since I last wrote about the global deployment of DNSSEC, the next-generation standard for DNS security. Not only have domain registries around the world accelerated their DNSSEC strategies, but we're now seeing growing interest in DNSSEC deployment from major ISPs like Comcast and leading e-commerce companies, notably PayPal. Unfortunately, we're also seeing threats to the DNSSEC rollout from US legislators who have proposed laws that would hinder adoption.
DNSSEC, which enables domain names to be cryptographically signed and authenticated, has the potential to make the fight against phishing and fraud much more effective. The technology creates a chain of trust that ensures a user’s click on a website will actually land on the website, rather than being hijacked mid-stream. Using DNSSEC, consumers will have more confidence that when they try to visit a website, their requests will not be hijacked by bad guys out in the cloud.
The problem with creating a chain of trust is that each link in the chain needs to be strong. With DNSSEC, links belong to different companies and organizations in different sectors. The chain requires participation from all sectors of the Internet community for DNSSEC to deliver its full potential. Domain name registries and registrars need to enable the technology for their customers to cryptographically sign their domains, while ISPs and software developers need to support it to make endpoint validation possible.
While domain registries, which work with DNS every day, have set the pace for this global rollout, other early adopters I’ve mentioned above, such as Comcast and PayPal, are now coming on board with encouraging enthusiasm. Comcast recently said that over 17.8 million Internet access subscribers are now using DNSSEC-compatible name resolvers. This means that Comcast will soon validate DNSSEC signatures on behalf of all its users, leading to a more secure online experience.
Of course, you can't check a signature if nobody is signing. That’s to say, deployment projects at the resolver end from companies such as Comcast will only make a difference if they have signatures to validate from popular websites. Comcast also said that it has signed all of the more than 5,000 domains it owns, and it has echoed calls for more adoption by high-traffic Web properties, especially in banking and e-commerce. These industries are the most frequently targeted by phishers and other cybercriminals, and have the most to gain from offering their customers an increased degree of transactional security.
PayPal, which has over 100 million active e-commerce accounts worldwide, has also now fully embraced DNSSEC. In December 2011, the company said it has signed all zones in all of the top-level domains in which it has a presence. So PayPal.com is signed and, for example, so is PayPal.co.uk. This important step means that PayPal account holders using validating resolvers will be able to make payments with the confidence of knowing that the PayPal DNS has not been hijacked by criminals.
While the decision by Comcast and Paypal to throw their considerable influence behind DNSSEC is encouraging, the US is in many respects still lagging behind other countries. Security experts attending a recent ICANN meeting in Senegal heard that the Czech Republic is now the nation with the highest penetration of DNSSEC. About 145,000 .cz domain names had been signed in October, which represented about 17% of the total. Compare that to the .com domain most often used by US companies, which has more than 100 million total registered domains, but DNSSEC penetration is only in the low thousands. It's clear the USA has some catching up to do.
But adopters in the USA have a unique barrier to adoption: Congress. The proposed Stop Online Piracy Act (SOPA) and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PROTECT IP Act or PIPA) contain provisions that, if enacted, would threaten to break the end-to-end functionality of DNSSEC. These pieces of legislation require ISPs to intercept and redirect DNS queries for websites that are believed to be involved in piracy. In the context of DNSSEC, this is like requiring ISPs to behave like attackers, deliberately hijacking otherwise legitimate DNS queries.
DNSSEC and the redirection provisions of SOPA and PIPA are incompatible. By mandating behavior that makes the infrastructure appear to be malicious, applications would have to acknowledge that sometimes what looks like an attack is actually a legitimate filtering event. In that scenario, applications could attempt to resolve domains by falling back to legacy, insecure DNS, but this just creates an opportunity for bad actors to widely exploit "downgrade attacks," rendering DNSSEC practically useless. In short, SOPA and PIPA raise substantial barriers to DNSSEC adoption, which will lead to a less secure Internet.
The Internet has many security problems, and DNS hijacking is only one of them. But unlike many problems, this one has a solution that can be -- and is being -- implemented today by forward-thinking, security-conscious companies. Nobody supports online piracy, but it would be a sad day indeed for security if poorly informed legislation were allowed to slam the brakes on the global DNSSEC deployment initiative, just as it is gathering critical steam.
Related Reading: Risk vs. Reward of Implementing DNSSEC
Related Reading: Trouble Ahead - The Implementation Challenges for DNSSEC
Related Reading: Deploying DNSSEC - Four Ways to Prepare Your Enterprise for DNSSEC
Related Reading: Five Strategies for Flawless DNSSEC Key Management and Rollover
Related Reading: The Missing Ingredients for DNSSEC Success
Related Reading: Do Recent BGP Anomalies Shed a Light on What's to Come?