|
Verisign Wildcarding
Verisign, in their capacity as the sole operators of the global .com and .net top-level domains, suddenly changed the fundamental operation of the domain name system yesterday.
Previously, when queried concerning an unknown .com or .net domain name, Verisign would correctly return an "unknown domain" error code. Now, most of the time, they return a record which points to their own site (purposely not linked to here).
Verisign frames this as a "service". They'll catch folks who mistype a website's address and attempt to direct them to the website they meant.
There are a number of problems with this:
- Trust
Verisign fundamentally altered the behavior of a global service it is community-paid to run without notice. This is simply the latest instance indicating Verisign is untrustworthy.
- Loss of functionality
There's no longer "invalid" .com or .net addresses. They all resolve sans error.
This distinction, unfortunately, is not academic. The popular technique of blocking potential spam by ensuring the sender's address actually exists has been crippled. Likewise, a client of mine lost functionality last night. His sign-up form for an enewsletter can no longer ensure the email address's domain is valid, which used to catch a fair number of mistakes.
- A Brand-New War
Already network operators are patching their DNS servers to recognize Verisign's IP address and suppress the new behavior. However, it is in Verisign's business interest to make it difficult to suppress. They make money on this "service".
Expect technical counter-countermeasures from Verisign. Expect further counter-counter-countermeasures from netops. Verisign has created a brand-new escalating war between the people who control the root name servers and the people who use them. Not bad for a day's work.
- A Needlessly Low-Level Change Targeting a High-Level Result
DNS is plumbing underneath all Internet services. Verisign's act targets web traffic, but has a negative effect on all Internet services. For example, if I type in an incorrect unknown name for a ftp server, I'll wind up trying to connect to Verisign's server.
- Primed for a Man-in-the-Middle Attack
This latest act simply reinforces Verisign as an untrustworthy, unethical entity. Now realize this: Verisign is in an excellent position to execute a man-in-the-middle attack.
This is already in operation for their mail server. If I mistype the domain in my recipient's email address, the SMTP server usually will end up connecting to Verisign's stub mail server, which after reading the message's from and to email addresses, rejects the message. Verisign is in a great condition to harvest these addresses and sell them to their partners. Verisign is already a known spammer.
Using their domain-name-guessing software, they can also get in between you and your POP3, IMAP, FTP, Web and WebDAV servers. Username and password harvesting is trivial. ssh is somewhat safer here, but it's leap-of-faith authorization mode has become a lot more dangerous.
You may think SSL will save you here. You'd be wrong. Verisign runs root certificate servers as well. They can dynamically generate SSL certs and sign them. Your only option is to remove Verisign as a trusted cert server (a hard, geeky thing to do), which will have the effect of disabling the majority of commerce web sites as well. Nice.
Here are some Verisign counter-measures for your enjoyment.
Tuesday, September 16, 2003
12:00 AM
|
Focus of this site
Contact Me
Topics
RSS Feed
Linkblog
Twitter
Andy Finnell
Bill Bumgarner
Brent Simmons
Daniel Jalkut
Dave Dribin
Eric Albert
Eric Rescorla
Eric Sink
Greg Miller
Gus Mueller
Jeremy Zawodny
John Gruber
Mark Dalrymple
Michael Tsai
Peter Ammon
Raymond Chen
Ryan Wilcox
Scott Stevenson
Steven Frank
The Daily WTF
we hates software
Wil Shipley
|
