March 21, 2014 archive

TDYR #134 – Heading To Singapore For ICANN 49 To Talk DNSSEC

I'm heading to Singapore for the ICANN 49 meeting happening there. My focus is on the technical side related to making the Internet more secure via DNSSEC ... but a great focus of the meeting will be all about Internet governance issues... More on what I am doing there at: http://www.internetsociety.org/deploy360/blog/2014/03/3-dnssec-sessions-at-icann-49-next-week-in-singapore/

Turkey’s Ban On Twitter Will Inadvertently Cause A Rise In DNSSEC Validation

turkey-google-dnsToday the media is buzzing with the news of the Turkish government banning Twitter and even more with the fact that citizens are figuring out ways around that.  ”The Internet routes around censorship“, as the saying goes (or close to that). There are predictably MANY tweets out there on hashtags like #TurkeyBlockedTwitter and #TwitterBlockedInTurkey.

And many photos like the one I’m inserting here are appearing not only on Twitter but across the web and other media.   As The Verge notes, it seems the Turkish government is just using a simple DNS block, presumably at all Internet service providers (ISPs) in Turkey, to prevent people from connecting to Twitter.

As the people in Turkey have discovered, this block can be easily circumvented simply by changing your device’s network settings to use public DNS servers such as those operated by Google.

Leaving the politics aside, my first reaction as a DNSSEC advocate was “Cool! Now we’ll see an uptick in DNSSEC-validated DNS queries!

The reason, of course, is that Google’s Public DNS service performs DNSSEC validation by default on ALL DNS queries.  So, not only are all those Turkish citizens getting around the ban on Twitter, but they are also getting more security and ensuring that the responses they get back from DNS for a domain are indeed the correct information entered by the operator of that domain (for companies/organizations that have signed their domain).

Hopefully the situation there in Turkey will stabilize and the ban will be lifted. In the meantime, though, I suspect those people doing DNSSEC measurements will see a burst in DNSSEC validation happening from that region.


P.S. As I pointed out at the bottom of the earlier post about Google Public DNS turning on DNSSEC validation that I reference above, the use of a public DNS resolver performing DNSSEC validation does not completely ensure the security of the results you receive back.  There is still an opportunity for an attacker to inject or modify DNS packets on the path between your device and the distant DNS resolver.  That is why we ideally want to see DNSSEC validation happening at a much closer level such as on the edge of your local network or perhaps even in your actual device.  However, having it happen on public DNS resolvers is a great first step toward making DNS results more secure.

Google Is Now Always Using TLS/SSL for Gmail Connections

Gmail logoWe were pleased today to read that Google is now changing their Gmail service to always use TLS-encrypted connections. As they note in their announcement blog post:

Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you’re using public WiFi or logging in from your computer, phone or tablet. 

The key point is the one I emphasized in bold in the text: attackers cannot listen in on your messages as they go between your mail client (which could be your web browser) and Gmail’s servers.   Obviously the messages could still be potentially viewed either on your client device or on Gmail’s servers… but this step is removing the ability for the messages to be viewed “on the wire”.

This is a great example of the kind of action we’d like to see to make communication over the Internet more secure- and why we launched our new “TLS for Applications” section of this site.  We want to encourage more application providers and developers to make the steps that Google has done here.

Kudos to the Google/Gmail team for taking this step!

Last Day To RSVP For ICANN 49 DNSSEC Implementers Gathering March 26 in Singapore

ICANN 49 SingaporeWill you be at ICANN 49 in Singapore next week?  And are you deploying  DNSSEC and interested in meeting with others who are also doing so?

As we mentioned earlier this week, there are three sessions at ICANN 49 focused on DNSSEC and one of those is  an “informal gathering of DNSSEC implementers” on the evening of March 26 from 19:30-21:30 (or later). This is a time to share experiences, exchange information and just generally interact with other people involved with deploying DNSSEC.  As ICANN’s Julie Hedlund wrote in a note to various email lists:

This is a unique opportunity to meet with and talk to key implementers, such as CNNIC, JPRS, NZNIC, CIRA, CZNIC, Nominet UK, SIDN, and others. We do ask that in order to participate you should come prepared to say a few words about your experiences.

It’s a great chance to meet people working with DNSSEC.  If you will be in Singapore and interested in joining us,  please RSVP by the close of business TODAY (21 March 2014) so that we can have accurate information for the location of the event.   Details and location information will be sent via email to all those who have RSVP’d.

See (some of) you in Singapore!