Christophe Gérard, Author at Cybersecurity, intellectual property and domain names news

DNS – the big forgotten of Internet

“DNS continues to be one of the most targeted Internet services, and it remains the Achilles heel of global Internet infrastructure. DNS was not only the most heavily abused protocol for reflection/amplification DDoS attacks this year, but an attack targeting a specific DNS provider was also the cause of the most widespread Internet outage of 2016 (Note: attack on the provider Dyn, which caused for about ten hours, the inaccessibility of a big part of Internet in the USA, particularly impacting Twitter, Ebay, Netflix, Amazon, Paypal… in October 2016).”

Arbor Network Infrastructure Security Report – June 2017

But what is the DNS?

DNS – the big forgotten of Internet

Because the human being is more apt to remember a name than a number, and because this is even more true for going on a website, between a domain name and an IP address, the human being, in order to simplify their life, have created the DNS: Domain Name System (or service).

For example: “I want to go on Google.com, my browser will ask the DNS what the IP address of the web server hosting google.com is, it will obtain it, then go on it and download the page.”

The DNS is a public database, decentralized and distributed, which associates domain names to IP addresses. It exists since 1985. It’s a part we can qualify as Internet infrastructure, essential to operate… and yet the DNS is invisible to the user.

The DNS has been massively adopted because it’s practical. It simplifies the user’s life and allows them to easily identify, differentiate, locate, memorize and transmit the domain name of a website associated to a brand. It has also been adopted on the other side of the mirror by its networks administrators to identify and differentiate servers, it is even more true with IPv6, with hosts multiplication and the arrival of the all connected. The DNS allows them, last but not least, to have the possibility to change servers and IP addresses in all transparency for the web user.

The DNS is omnipresent within the Internet. Everyone should be able to have access to it, if not, the Web would not operate anymore. This is what has happened in 2016 to our American compatriots, who had to do without Twitter or frenetically buying during almost 10 hours. The lost profit regarding revenue and impact on the brand image of the impacted companies have been significant.

But as it is invisible, everyone tends to forget it… and to realize it when it’s too late.

Strategic services relying on the DNS and the associated risks

Websites and email are two major services which systematically rely on DNS. Imagine that your website is unavailable for 1 minute, 10 minutes, 1 hour… and the consequences for your company, revenue, service discontinuity, image of the brand, customer’s loss. And what the consequences are for the absence of emails on this same period…

If these two services are the most potentially impacted, others can systematically rely on DNS:

VPN, VOIP, instant messenger… with the consequences smaller but equally regrettable for the operating of the company.

Attacks on DNS

Sadly, DNS servers are exposed to many potential attacks:

– Cache poisoning: make the DNS servers believe they receive a valid answer to their request while it is fraudulent. Once the DNS poisoned, the information in cache makes all the users vulnerable (send to a fake website).

– Man in the middle: The attacker alters the DNS server(s) of the parts in order to redirect their communication to them without the parts realizing it.

– DNS spoofing: redirect the web users without them knowing, towards hacked websites.

– DDoS: DNS are more and more targeted by DDoS attacks, in order to saturate them and prevent them to ensure the resolution of the company’s key services.

And all these attacks have the same consequences: hijack or stop the companies ‘traffic.

The big forgotten

From the user’s point of view, the DNS doesn’t exist, they use the naming system of domain names to navigate and send emails, they have only one need: that it works.

From the company’s side, the problem is different, it is usually a lack of information, a lack of conscience of the DNS importance and the consequences of a service breakdown.

In most of the cases, companies do not really pay attention. They will use an important budget to register and manage domain names, to rise their visibility and protect their brands, but will not linger on DNS servers’ strength at their disposal from their provider.

The good practices to implement: having first rate DNS infrastructure

First of all, consider whether your strategic domain names already beneficiate from a particular attention from the DNS infrastructure. Are called strategic, all domain names on which rely the key services traffic of the company: web sites, email, VPN, instant messenger…

To gain its own DNS infrastructure is a solution which presents advantages of flexibility and control, but the acquisition cost, management and maintaining on one side, complexity and necessary knowledge on the other, are often crippling or badly evaluated. It’s usually easier to go for an extern DNS infrastructure, managed by a registrar, host or specialized provider. It is then appropriate to check which availability annual rate is ensured and how it relies on the good practice for a maximum availability.

To ensure a high availability to your Internet services, it’s essential to choose a DNS solution highly available which offers:

– Necessarily functionalities to a DNS intensive use;

– A network of anycast type to reduce the DNS resolution time and ensure an optimal access time to your websites.

– A DNS infrastructure secured and staying available even in case of attack.

– Key functionalities like : GeoIP, Failover, Registry lock, DNSSEC, anti-DDoS smart filter

Conclusion

The DNS is not visible but is everywhere, it ensures the access to our key services thanks to the resolution of your strategic domain names, it is potentially exposed to many attacks with disastrous consequences and it lacks too often attention from companies. So.. Don’t forget about it and if necessary, talk about it with your Nameshield partner.

Some movement in the SSL’s world: Digicert acquires Symantec’s certificates activity

Digicert acquires Symantec’s certificates activity

On Wednesday, August 2^nd, Digicert announced the acquisition of Symantec’s Website Security Business branch (including SSL business, and some other services). It’s the direct consequence of the conflict opposing Symantec to Google for a few months.

You have certainly already heard about this disagreement opposing two companies on a certain number of certificates issued by Symantec and the possible loss of trust towards these certificates in the next versions of Chrome. Many information and dates have been flowing on this subject, sometimes contradictory, it can be sensitive to evaluate the impact on your own certificates.

Nameshield as a Symantec’s Platinum partner, has followed very closely the development of this case to ensure that its customers and partners don’t risk to be impacted and suffer from a loss of trust within their browsers. The very latest developments of this case lead us to communicate the following important information:

What happened?

Google and Symantec had a dispute in 2015, Symantec’s teams taking for example certificates often based on the CN google.com, by really issuing them to delete them afterwards. It was objectively a mistake and Google has sanctioned Symantec by making compulsory the subscription of all certificates within the Certificate Transparency base, which since became the market standard and a mandatory for all Certification Authorities. This decision was effective on June 1^st, 2016.

At the beginning of 2017, Google and Mozilla announced the discovery of 127 Symantec certificates with irregularities, leading to a thorough investigation from Google, which would have found nearly 30 000 impacted certificates. Google decided to severely sanction Symantec by reducing the certificates’ duration to 9 months and by deleting the EV status for Symantec certificates in a very short period. Symantec has immediately reacted by sanctioning 4 partners who were at the roots of the errors. Many discussions between the two groups, and with many important actors of the industry, took place since March 2017. A part of these publications, proposals and counter-proposals has created confusion.

These different discussions have led Google and Symantec to an agreement on a method and a transition calendar towards a new PKI infrastructure for Symantec. Google officially communicated on this subject on Friday, July 28^th. This communication can be consulted here.

Symantec is committed to create a new PKI infrastructure in collaboration with a third party to prove its good faith, answer to the transparency requirements of Google and maintain the high degree of trust which has always benefited the group from the web users. This infrastructure change will take place on December 1^st, 2017 and will require the replacement (or if any, the renewal) of all the existing certificates for Symantec brands, Thawte, Geotrust and RapidSSL. This extended deadline will allow a smooth transition, without impact on web users.

Since August 2nd, we know that this trusted third party will thus be Digicert.

What Calendar?

Google distinguishes Symantec certificates issued before June 1^st, 2016 from those issued after this date (Mandatory subscription in Certificate Transparency). The loss of trust in these two categories of certificates will arrive through two different versions of Chrome, hence the following calendar:

– Category 1: Certificates issued before June 1^st, 2016, will have to be replaced (or renewed*) between December 1^st, 2017 and March 15^th, 2018 (arrival of the beta Chrome 66)

– Category 2: Certificates issued between June 1^st, 2016 and November 30^th, 2017, will have to be replaced (or renewed*) between December 1^st, 2017 and September 13^th, 2018 (beta Chrome 70 arrival).

The eventual emergency communicated by the different market actors is therefore not relevant.

*anticipated renewal: a renewal can be done until 90 days before the expiration date of a certificate, without penalizing the duration of the new issued certificate.

Are you impacted?

Yes you are, if you dispose of certificates issued with one of Symantec brands (Symantec, Thawte, Geotrust, RapidSSL) through Nameshield or other providers with whom you would be working. All that remains is to distribute them in the two mentioned categories. We could help you identify the eventual impacted certificates and their distribution in the right categories, in order to plan the actions to carry out from December 1^st, 2017.

And Digicert in all this?

Digicert is an American company, of which the actual market share represents 2.2% of the world market, based on the last report of W3tech. It’s a company renowned for the work quality of its authentication team and its conformity with the CAB forum’s Baseline Requirements. Digicert is regularly growing for several years on serious values and manages certificates portfolios of very important companies and websites around the World.

Digicert will become a major actor of the certificates market, by taking the 14% of the global market shares of Symantec. More interesting, the 40% of market shares on EV certificates and 30% on OV certificates which represents Symantec.

On paper, this acquisition is good news for all the Symantec customers. It’s a guarantee of continuity in the quality of provided services. It’s the guarantee of a successful transition towards a new PKI infrastructure requested by Google. It remains to monitor Digicert capacity to respect the calendar imposed by Google, we will closely monitor this.

What does Nameshield think of this?

Nameshield trusts Symantec and its teams for several years. On one hand, for its quality of service, which allows us to provide you a service of first level and on the other hand for the brand image and the trust created by this group to the web users. The management of this Google/Symantec crisis doesn’t question the trust we have in this partner, and whose support remains irreproachable.

Furthermore, we were for a few months, in relation with Digicert to extend our solutions portfolio, we welcome this acquisition announcement like a positive news for our customers and partners, by being confident on the continuity of the services we could offer you. It means that the trust you place in us is primordial and if you want to move in a different direction, Nameshield remains at your service to propose alternatives to you.

Let’s talk about DNSSEC

DNSSEC has taken shape, and has become essential in security process recommended by ANSSI as well as the web in general. And yet, it’s a barbaric term that is often scary as we don’t know how it works and what it’s used for. This article will focus on clarifying this term.

The Domain Name System Security Extensions is a standardized protocol of communication allowing to resolve security problems related to DNS. We will begin by a reminder of what is the DNS.

What is the DNS?

Simply put, the Domain Name System is quite like an Internet directory. It’s a service translating a domain name into IP addresses. It relies on a data base distributed to millions of machines. Humans identify, memorize and differentiate more easily names than series of numbers. The DNS has been defined and implemented in the 80’s and has become an essential element of Internet.

How does the DNS work?

The DNS will allow web user to inform a domain name in his web browser to access a website. The browser will then “resolve” this domain name to obtain the IP address of the web server which hosts this website and displays it. We call this the “DNS resolution”.

What are the risks related to the DNS?

If the DNS goes down, your websites and emails are going to be unavailable, which is unthinkable nowadays. Other applications can be impacted in the companies: VPN access, intranet, cloud, VOIP… all that potentially needs a names resolution to IP addresses. DNS must be protected and stay highly available.

If the DNS protocol has been created with security in mind, many security flaws of the DNS protocol have been identified since its creation. The mainly flaws of DNS have been described in the RFC 3833 published in August 2004. Queries package interception, fake answer, data corruption, DNS cache poisoning and Denial of service.

To deal with this vulnerability, DNSSEC protocol has been created.

DNSSEC issues

DNSSEC prevents these different attacks, particularly cache poisoning, by securing the integrity of the DNS resolution. DNSSEC issues are:

How to secure the data integrity and authenticate DNS (resolver, server with authority) and keep backward compatibility with the DNS at the same time.
How to secure access security at the resource asked to billions web users?
How to find a solution light enough so it won’t surcharge names servers?

DNSSEC process

To secure the integrity of the DNS resolution, DNSSEC develops a chain of trust that goes back to the DNS root (refer to the DNS root server image above). Data security is done by keys mechanism (KSK for Key Signing Key & ZSK for Zone Signing Key) which signs DNS records in its own zone. Public keys are sent to the corresponding register to be archived; the register being linked by DNSSEC to the root server, the chain of trust is developed. Each DNS parent zone ensures the keys authenticity of its child zones by signing them.

Without DNSSEC With DNSSEC

DNSSEC, Nameshield and you:

DNSSEC operates like an essential protection for your strategic names, which secures DNS’ answer authenticity. It would be advisable to identify names that need to be protected. All TLDs don’t propose DNSSEC yet. Here is a list of principal TLDs that does, it can change with many more coming:

TLDs supporting DNSSEC: .fr, .com, .be, .net, .eu, .pl, .re, .pm, .yt, .wf, .tf, .info, .li, .ch, .biz, .de, .sx, .org, .se, .nl, .in, .us, .at, .nu, .la, .ac, .cz, .me, .sh, .io, .uk, .co.uk, .me.uk, .org.uk.

All news gTLDs, like .paris, .club, .xyz, .wiki, .ink, support also DNSSEC.

DNSSEC is included without supplement in Nameshield DNS Premium offer. Nameshield supports you in this process to secure your immaterial assets and manages the integrality of the DNSSEC protocol for you, from keys creation, to storage and renewal.

It’s not the only answer to set, registry lock system, DNS Premium service, SSL certificates are complementary solutions to implement, we will have the opportunity to discuss it in other articles or in the next nameshield.cafe.

Towards a 100% encrypted web, the new challenges of HTTPS

Between Mars, 2016 and Mars, 2017, Let’s Encrypt has issued 15 270 SSL certificates containing “PayPal” term, 14 766 of these certificates were issued for domains leading to phishing websites. It’s the result of the recent analysis led by Vincent Lynch, SSL expert.

Paypal fake or real

Lynch was closely interested in this case, after an interesting article published by Eric Lawrence (Google Chrome Security Team) in January 2017, the image above is from this article named “Certified Malice “which exposes deceitful SSL certificates and counts “only” 709 cases for PayPal and much more for big American brands: BankOfAmerica, Apple, Amazon, American Express, Chase Bank, Microsoft, Google…

What’s the impact on web users?

In January 2017, Google and Mozilla have updated their browser with Chrome 56 and Firefox 51, and a major change has appeared for web users: “Secure” and “Not secure” have appeared in the address bar.

In 2015, the initiative Let’s Encrypt, supported by big names of Internet (EFF, Mozilla, Cisco, Akamaï…) was created with the purpose of massively and freely spreading SSL certificates to the whole world. One year and a half later, Let’s Encrypt issued millions of certificates and other initiatives have followed.

Who says free, says few or no verification for delivering certificates, and an army of cybercriminals who rush towards these certificates to secure their illicit contents: phishing, malware… and show the term “secure” on their address bar. How can the random web user easily differentiate between real and fake?

For reminder, there are three verification levels for certificates allowing to show HTTPS: Domain Validation (DV) considered as low authentication, Organization Validation (OV) with high authentication and Extended Validation (EV) with strengthened authentication.

Free certificates are DV, and represent almost 90% of certificates, most of the time on “small” websites. OV certificates (9%) and EV certificates (1%) are fewer but protect almost all websites with high traffic. GAFA (Google, Apple, Facebook, Amazon), are all in OV or EV for example.

SSL Certificates - DV OV EV

The problem for web user is the lack of distinction in browsers between DV and OV certificates. These two types are shown the same way, as being “secure”, but EV certificates display the name of the certificate’s owner in the address bar.

By looking at the image at the beginning of this article, we understand easily the concern on EV for PayPal: to easily differentiate real from fake. This is the reason why Nameshield will systematically advise the use of EV for display website, in particular for their clients exposed to cybersquatting, phishing or counterfeit.

Two forces opposed for the future of HTTPS

Sadly, things aren’t so simple, and where logic would like to differentiate clearly between the three types of certificates, or at least two types (DV/OV), Google disagrees and wishes, on the contrary, to suppress the EV display altogether. Chris Palmer (Senior Software Engineer for Chrome) subtly confirms this point in his article published here.

Today we are in a situation where Historical Certification Authorities, Microsoft and to a smaller extent, Apple, are facing Google, Mozilla and Let’s Encrypt in a perspective resumed here:

Google/Mozilla/Let’s Encrypt perspective:

HTTP = not secure

HTTPS = secure

Historical Certification Authorities/ Microsoft/Apple perspective:

HTTP = not secure

HTTPS DV = no sign in the address bar

HTTPS OV = secure

HTTPS EV = company’s name in the address bar

Inside the higher authority of SSL, the CAB/Forum, the discussion is still opened at this moment. We can easily understand that Certification Authorities look unfavorably at the end of the visual distinction between DV/OV/EV in browsers, it’s their purpose to deliver certificates with high authentication, but is it wrong? It’s to reassure the web users by securing the identity of the website they visit.

In the opposite, Google and Let’s Encrypt don’t hesitate to say that phishing and guarantee of website content, don’t depend on Certification Authorities, and that there are other systems responsible for that (for example, Google Safe Browsing). Therefore we have to have a binary perspective: exchanges are encrypted and inviolable (= HTTPS = secure) or they aren’t (= HTTP = not secure). We can simply wonder by this perspective, which defends itself, if it’s not a semantic problem of the used term “secure” instead.

What does “secure” mean for web users? By seeing “secure” in their address bar, do they enter their login/password or credit card numbers? We can think that yes, they do, and in this case, actual risk does exist. Kirk Hall (Director Policy and Compliance – SSL, Entrust) has done a noticed intervention at the last RSA conference on this subject (if you have time, the record is here).

You can’t neglect financial industry weight and big companies which look unfavorably at the growth of fraud online risk, Google can’t ignore that.

How to reassure web users?

For the time being, we can only encourage you to choose Extended Validation certificates for your display websites and/or your e-shop in order to facilitate web users’ tasks and to stay informed of what’s going on on the web. To reassure and educate web users by mentioning on your website the choice you have made in security and authentication.

As you probably monitor domain name registrations on your brands, today you can also monitor certificates registrations so you can react quickly.

And as web user, when the term “secure” is mentioned in the address bar, systematically control the certificate’s details to see who the owner is.

HTTPS and SSL: Google continues its offensive

Chrome 53 launched on 31 August 2016 and with it Google is continuing its offensive for a safer internet.

With its Chrome navigator, Google signals even more clearly when as site does not use httpS on its landing page. And the version to come will continue in this vein barring purely and simply HTTP with a Red cross. This ‘ugly defacement’ will be difficult to accept on corporate websites, in particular well-known brands.

Https Nameshield — Website httpS EV (Extended Validation)

Firefox has already announced a similar measure. Add to that the httpS as an additional factor in SEO and the inclusion of httpS for personal data entry pages in the results for Google shopping, if you have not yet considered it, it’s time to prepare to migrate your web site to a more secure environment.

Why adopt HTTPS now?

It is becoming essential.
It is good for your online image, especially with Extended Validation (Green Address bar).
The transition from HTTP to HTTPS is becoming more pressing and it is better to prepare for it now rather than as a matter of urgency.

What will the navigation bar look like in January 2017?

On the pages of websites offering HTTP password entry or accepting credit card details there will be a small warning graphic and will feature the text “Not Secure”.

Going forward, What Chrome proposes to display

For all websites, Google’s ultimate goal is to display the not secure wording for all HTTP pages.

Note secure

Source : https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

The Nameshield team can assist you in selecting the most appropriate SSL certificates for HTTPS, contact your account manager to discuss.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_25904574_14	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
ppwp_wp_session	30 minutes	No description
visit	30 minutes	No description