One of the nasty bugs in the DNS system of the worldwide web is still installed on many PCs all over the world.
The Kaminsky bug, named after its discoverer, was found 5 years ago. Although a fix has been issued, it turned out that only a handful of American broadband providers, financial institutions and e-commerce companies have deployed it. The discoverer warned at the time that the vulnerability made it possible for cyber attackers to carry out cache poisoning attacks, redirecting traffic from a legitimate site to a fake one without both the site operator and end user knowing that.
It appeared that the only way to fix the problem was DNSSEC, using digital signatures and public-key encryption to let the websites to verify their domain names and corresponding IP addresses and thus prevent intermediary attacks. However, the statistics say that a ridiculously low number of American corporations have deployed DNSSEC.
In fact, none of the top 100 largest American e-commerce companies tested by Secure64 was using digital signatures to sign their zones, nor were they validating DNSSEC queries. The recent survey, conducted weekly by the National Institute of Standards and Technology, showed that less than 1% of 1,000 US industry sites have fully deployed DNSSEC, including Comcast, PayPal, Data Mountain, Infoblox, and Sprint. In the meanwhile, Dyncorp, Simon Property and Juniper Networks have done so partly.
Worse still, the names saying they aren’t deploying DNSSEC included such giants of the US industry as Bank of America, Delta Air Lines, Disney, eBay, Apple, Cisco, Google, IBM and Symantec.
The Kaminsky bug, named after its discoverer, was found 5 years ago. Although a fix has been issued, it turned out that only a handful of American broadband providers, financial institutions and e-commerce companies have deployed it. The discoverer warned at the time that the vulnerability made it possible for cyber attackers to carry out cache poisoning attacks, redirecting traffic from a legitimate site to a fake one without both the site operator and end user knowing that.
It appeared that the only way to fix the problem was DNSSEC, using digital signatures and public-key encryption to let the websites to verify their domain names and corresponding IP addresses and thus prevent intermediary attacks. However, the statistics say that a ridiculously low number of American corporations have deployed DNSSEC.
In fact, none of the top 100 largest American e-commerce companies tested by Secure64 was using digital signatures to sign their zones, nor were they validating DNSSEC queries. The recent survey, conducted weekly by the National Institute of Standards and Technology, showed that less than 1% of 1,000 US industry sites have fully deployed DNSSEC, including Comcast, PayPal, Data Mountain, Infoblox, and Sprint. In the meanwhile, Dyncorp, Simon Property and Juniper Networks have done so partly.
Worse still, the names saying they aren’t deploying DNSSEC included such giants of the US industry as Bank of America, Delta Air Lines, Disney, eBay, Apple, Cisco, Google, IBM and Symantec.
No comments:
Post a Comment