5 years after major DNS flaw is discovered, few US companies have deployed long-term fix

Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC ) to alleviate this threat.
In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing.
While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks.
Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is miniscule.
Recent surveys conducted by DNS vendor Secure64 show little deployment of DNSSEC:
  • None of the top 100 major U.S. e-commerce companies tested by Secure64 was using digital signatures to sign their zones, nor were any of these organizations validating DNSSEC queries. Although popular top-level domains including .com are signed, none of the 100 e-retailers tested including Amazon.com had established a chain of trust, or verified electronic signatures, at each DNS lookup node.
  • One out of 384 worldwide financial services companies tested by Secure64 was signing its zone, and none had established a chain of trust. The financial services firm that showed signs of DNSSEC deployment was the quasi-federal organization Sallie Mae.

0 yorum: