This seems very odd. The Internet — including web sites and
email — has been found to have a very serious security flaw.
Civilized places such as Sweden and Puerto Rico are already
fixing the problem. There are plans to improve security for
US .gov and .mil sites (government and military , respectively).
Yet, the most important fix for the rest of us, which is
under the control of the US government, is being delayed.
Given that the Russian military attack on Georgia was preceded
by an Internet attack, it would seem pretty obvious that
Internet security should be a priority.
This raises the question: Does the US Government want the
Internet/email system to be insecure?
One of the key components to the infrastructure of the Internet is the
Domain Name System (DNS), which operates on DNS nameservers.
For various technical reasons, computers connected to the
Internet all have numerical addresses. Currently, these
consist of four sets of up to three digits, each separated by a dot.
The is called the Internet Protocol (IP) address.
For example, the site www.example.com has
an IP address of 188.8.131.52.
You can try this out yourself. If you type “www.example.com”
(without the quotes) into the address spot on your browser, you will
see an example website. If you type “184.108.40.206” you will
go to the exact same site.
The DNS nameservers are the devices that perform this translation for
you. That was, you don’t have to memorize long strings of
otherwise meaningless digits. This will become even more
important in the near future, when we transition to Internet Protocol
Version 6 (IVP6), which will have numerical addresses like:
The DNS nameservers contain enormous tables that translate the
alphabetical addresses into numeric ones. If an attacker
could somehow change the information in those tables, then unsuspecting
users could end up at the wrong place.
This would be much more that a mere nuisance. If you typed in
www.mybank.com and went to your favorite online bank, you would expect
to have to log in with your user name and password. You then
would be able to send money to someone else. If an attacker
created a fake site (which is easy to do), and directed you to the fake
site, then the attacker could steal your user name and password.
Several months ago, a
security flaw was discovered. This flaw enabled
attacks to alter the information in the DNS nameservers.
Fixes were quietly introduced and deployed.
However, there is a problem. The Internet is organized in a
hierarchical system. The “root” of the system is controlled
by the US government, specifically, by the National Telecommunications
and Information Administration. They haven’t secured the root
of the system.
This is described in a recent article at Wired:
Accuse Bush Administration of Foot-Dragging on DNS Security Hole
By Ryan Singel
August 13, 2008
Despite a recent high-profile vulnerability that showed the net could
be hacked in minutes, the domain name system — a key internet
infrastructure — continues to suffer from a serious security weakness,
thanks to bureaucratic inertia at the U.S. government agency in charge,
security experts say.
If the complicated politics of internet governance continue to get in
the way of upgrading the security of the net’s core technology, the
internet could turn into a carnival house of mirrors, where no URL or
e-mail address could be trusted to be genuine, according to Bill
Woodcock, research director at the nonprofit Packet Clearing House…
…The Internet Assigned Numbers Authority — which coordinates the
internet — has been prototyping a system to sign the root-zone file
for the last year, but they can’t do the same for the internet’s top
servers without approval from the Department of Commerce.
That’s where the rub is, according to Kolkman…
…But changing that system could be perceived as reducing U.S. control
over the net — a touchy geopolitical issue. ICANN is often considered
by Washington politicians to be akin to the United Nations, and its
push to control the root-zone file could push the U.S. to give more
control to VeriSign, experts say…
I have no specific reason to think that this is anything other than
“bureaucratic inertia.” After all, surely the Government wants
our email to be secure. Surely they want
us to keep our passwords safe. Surely they want us to be able
to protect our most sensitive information.
We know this because the government has been spending money to encourage the use of
Electronic Health Records (EHR). People are not
going to want to use EHR if they do not believe that the
Internet is secure.