Despite the best attempts of security vendors, neither online stores nor the financial industry seem particularly keen to adopt DNSSEC tech - an anti-fraud mechanism that makes it difficult for fraudsters to spoof legitimate websites. DNSSEC (DNS Security Extensions) uses public-key encryption and authentication to guard against …
I had the same question
I have often wondered why there aren't any big sites using DNSSEC. Sure, it's a little complicated for the average Joe. But it's must be a piece of cake for big banks and e-tailer that already have large IT-departments and millions worth of infrastructure. They have the resources to have a guy or 2 or 3 devote themselves to DNSSEC and just implement it.
DNSSEC and GSLB
How does DNSSEC fit in with GSLB? Most of the big tech players have distributed web sites relying on DNS servers that change their replies based on data on where the query came from. I would suspect that would not play well with DNSSEC
The other tricks some people use is injecting BGP routes and have multiple boxes answer for the same IP, but the load is "distributed" based on shortest path routing. That would probably be OK for DNSSEC, but it'd still be a pain to have to sign all those different zone files.
Re: DNSSEC and GSLB
It's not that difficult to sign zone files. I have scripts that I've tested on my personal server that handle the resigning after zone file updates and am about to roll them out to my employer's servers.
Re: DNSSEC and GSLB
Yes, but with GSLB the answer can change on *every* query. Admittedly between a limited set of answers, but it's still nowhere near your situation. Either you have to load signed zones for each possible answer onto the GSLB device, or you have to load the signing keys onto the device. The latter is undesirable in the extreme.
It would be nice if banks even understood the basic idea of the hierarchical domain name system, ie using subdomains such as online.bank.co.uk instead of www.bank.co.uk, bankonline.co.uk, bankgizmos.co.uk, ukbank.com and a dozen other things.
It would be nice if banks did not send emails that seem to be designed to look as much like phishing as possible.
It would be nice if, having warned people not to hand over their passwords when asked in emails (which El Reg readers at least know how to trace), they did not then phone customers, withholding even (the easily spoofed) caller ID, and ask for their security information.
It would be nice if banks did not use obvious man-in-the-middle systems like Verified by Visa.
Complaining that the don't use DNSSEC seems rather irrelevant in this context.
Re: Clueless banks
It would be nice if banks could understand the fundamental flaw in calling a customer and asking for their date of birth before discussing anything with them.
Re: Clueless banks
And they always seem rather surprised when you challenge who they are... as if it's never happened to them before.
Re: Clueless banks
I went to the extent of putting together a form for them to fill out to request a PIN so I could verify who they were. Strangely enough when it came to it none of them would go for it and it wound my wife up so much when I did it that I figured I should stop.
I do recall a story about a woman in the UK who managed to achieve this though. The best I could do in the end was just refuse to answer their security questions and then they would have to send me a letter by which time I had logged on and checked to see if I had missed a payment or similar so when it finally arrived it was all too late.
Re: Clueless banks
The last credit card person to call me, and ask for my date of birth seemed rather wearily resigned to my refusal to answer. All the previous times I've met bewilderment that I shouldn't trust random people who ring me up asking for financial details...
I suppose they know who they are, so why should I doubt them?
Re: Clueless banks
Apart from calling them back, or just refusing to answer their questions - the one way I have managed to get around this is to give false information (i.e. lie about my date of birth). If they say 'OH, that is n't what we have on our system' then at least I have some confidence in who they are - a real phishing call would not know if I was lying.
The same goes for phishing sites - by typing in a wrong password and seeing what happens.
It amazes me that when the back RINGS YOU they expect you to identify yourself - even though they have no problem believing your identity if you reply to a letter posted to your home address.
The strangest one at the moment is Capital One. They used to call me, and ask me to prove my identity (which I did by calling them back) but now they just send a text and I can reply to - so obviously possession of the phone is sufficient after all.
I think the apathy is quite understandable - DNSSEC won't help these kinds of sites all that much. Cache poisoning attacks are not widespread, presumably because the criminals would have to target a lot of caches to make a difference - and that's a lot of work.
Knowledgeable users already know to type https:// in the URL for sensitive sites, which provides more protection than DNSSEC. And those less in the know are likely to fall for simpler phishing attacks anyway.
Re: Understandable apathy
Agreed. Sounds like the web's equaivalent of SPF for email. Idiots that would fall for it are the same people who fall for web adverts that claim 'Your registry is corrupt - click here to download rapreyourPC-registryturbo now!'. They don't understand and are used to their kids telling them just to ignore it. Only place it might be useful is for corporate proxies/firewalls where end user gets no choice..
Fraud = profits
The banks justify their high margins by the level of risk they "bear". Reducing risk means that they can't justify gouging their customers .
That is why they rarely implement best practice. e.g.:-
Advance notification of transactions with STOP processes
Scanning a notification of spoof sites
Declaring security breaches
Escow to allow reversal of fraudulent transactions
Photos and other biometric on cards/online ( How can they say this is too expensive when they allow me to upload my own artwork for my card!!!)
Please add your own!!
If the banks reduce fraud, they cannot justify their high margin( Yes some do!)
While they don't seem to be supporting DNSSEC, what about DNSCurve?
If the banks don't implement a security feature then it usually means their money is not at risk, i.e. any losses will be assigned to the affected customers because it was their fault for not being sufficiently careful online.
Presumably there are downsides to DNSSEC too, though of course I wouldn't expect this company to highlight them. If so many big websites haven't implemented it, then I'd expect the reason to be either "it's ineffective", "it makes life difficult for our customers" or probably a trade-off of the two (ie "there are a few minor downsides, but we don't think it'll help at all therefore it's not worth it").
The main problem is that most registrars haven't implemented support for uploading the needed DS keys needed for DNSSEC yet. Other than that, there aren't many downsides. On my system I had to switch Registrars and implement some changes to how I update my zone files but since then it has been working flawlessly.
I know this item is focused on the big 100 e-commerce sites but at the other end of the scale the key reason for slow adoption is that many of the big domain name registrars, that SMEs and individuals use, still do not support uploading keys for DNSSEC. Until those of us at the bottom of the chain are given the tools required to implement it widespread adoption of DNSSEC is dead in the water. I do wonder if low levels of implementation is one of the excuses the top 100 will use to justify their lack of interest in pushing this out for their sites?
DNSSEC isn't trivial, doesn't gain much
Implementing DNSSEC is not trivial to implement and maintain. You need to at least deal with more keys and institute another key rollover policy. One mistake can cause a denial of service for Lots of people. DNS spoofing is not trivial either, and the risk of doing that may be perceived to be less than the effort of maintaining DNSSEC for your domains.
DNSSEC implementation flaws
Q: What's the word's most popular nameserver?
Q: How many security flaws were announced/patched for BIND last year? How many of them were related to DNSSEC?
A: I don't know, I think I lost count. The vast majority of them were DNSSEC related in Amy case.
Are DNSSEC implementations even mature enough to use yet? Sure, somoebody though they were good enough for the root servers, but that doesn't mean they're good enough for everyone else.
This is crap. Not only have Paypal signed their domain, but they also defer email for you if your domain signatures don't validate.
Are Paypal not a "big e-commerce site"? I guess not if you're Secure64 pulling a marketing angle for credulous journalists. But they handle most of the payments for eBay, which is the big name trumpeted in this article. So, er ... oops.
Hint: querying PR flacks isn't "checking the facts".
- iPad? More like iFAD: We reveal why Apple ran off to IBM
- +Analysis Microsoft: We're making ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Analysis Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
- Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network