The CAA becomes mandatory in the small SSL’s world

Or how to benefit from it to implement a certification strategy specific to your company?

The CAA becomes mandatory in the small SSL’s world

In January 2013, a new type of DNS Resource Record has appeared to improve the control chain in the SSL certificates issuing. This record, called CAA for Certificate Authority Authorization, allows to specify for a given domain name which Certification Authorities are authorized to issue certificates.

It’s an extremely interesting creation, in particular for big companies and groups, which technical teams are scattered in the World and for which it’s often difficult to require a global certification strategy. It’s not unusual for companies to accidentally discover the existence of certificates requested by teams not knowing the processes, by external consultants, issued by Certification Authorities with a bad image, or for certificates of low level of authentication (DV). The implementation of CAA record on your domain names is a good solution to control what the teams are doing and the news on SSL’s world will help you do that.

Indeed, if the CAA has been detailed in the RFC-6844 from 2013, it was not mandatory until today, for a Certification Authority to check if it was authorized or not to issue a certificate on a given domain name, hence a certain uselessness of this and a very low adoption.

September 8th, 2017 – The CAA checking becomes mandatory

We had to wait until March 2017, and a positive vote of the CAB/forum (ballot 187) to make this verification mandatory. Since the 8 September, the Certification Authorities have the duty to do this verification at the risk of sanctions from CAB/forum and browsers, the recent news regarding Google and Symantec has shown us how it’s not in their interests.

Three scenarios occur during this verification on a given domain name:

  • A CAA record is set and indicates the Certification Authority name, this one can issue the certificate.
  • A CAA record is set and indicates a Certification Authority’s name different, this one CANNOT issue the certificate.
  • No CAA record is set, any Certification Authority can issue a SSL certificate.

The CAA becomes mandatory in the small SSL’s world

It’s important to note that for a given domain name, many CAA records can be declared. A simple tool (among many others) to test your domain name, is available online: https://caatest.co.uk/

How to benefit from CAA for my company?

If it’s not already done, the establishment of the CAA checking is the opportunity for your company to define a certification strategy and to be able to ensure that it is complied with.

Define one (or multiple) Certification Authority corresponding to your values and to your expectations in term of service quality is a first step.

It will require to put around the table the marketing stakeholders to validate the impact on websites display and the technical services to ensure of the chosen provider’s quality. It will then be necessary to declare these CAA records in the different zones of your domain names.

It’s then important to communicate with all the operational staff so they become aware of the rules imposed within the company, in order not to block them in obtaining a certificate.

Indeed, Nameshield’s experience shows that SSL certificates are often requested in a hurry; moreover the browser’s last versions are not kind towards certificates’ errors by ostensibly displaying “not secure”. In consequence, blocking the issuing of a certificate because the communication didn’t get through can be damaging.

Such strategy presents real advantages in the control of certificates, in marketing, technical, risks control and costs associated to certificates. It’s necessary to conduct it with full knowledge and in order to do it, our SSL experts’ team can assist you.

Equifax victim of a massive cyberattack

Equifax victim of a massive cyberattack

The American company Equifax, based in Atlanta, present in 24 countries, has been the prey of a particularly worrying cyberattack.

Equifax collects and analyzes personal data of customers soliciting a credit. At the beginning of September, the company revealed an intrusion in its database.

This IT hacking could have potentially concerned around 143 million American customers and many others customers soliciting a credit like Canada or Great Britain. The criminals have exploited a breakdown in a web application between mid-May and July. They have obtained names, social security numbers, birthdates, addresses and some driving license numbers. These data theft is really worrying.

This information will facilitate identity fraud and account hacking. In the United States, the social security number is necessary to work, open a bank account or obtain a driving license and usually to rent an apartment. Some data might even be already on sale on the Dark Web (part of the Web non-indexed by general search engines).

This attack directly touches the heart of Equifax’s identity and activity. The company has implemented a website (www.equifaxsecurity2017.com) and a phone number at the disposal of their customers and a security company to evaluate the damages.

Equifax victim of a massive cyberattack
Equifaxsecurity2017.com website

All companies should see this attack like a warning. This example is indeed the proof that companies can have difficulty in seeing what is happening inside their own computer networks. New attacks, each day more sophisticated, go more and more unnoticed.

Moreover, Equifax affirms to have discovered the attack on July the 29th. However, the communication done to the customers comes only at the beginning of September: an abnormal delay regarding data protection this sensitive. Today, those data have vanished into thin air.

This large scale hacking is far from being the first one. Last year, the Yahoo group has announced that one billion accounts have been hacked, while other American companies have also been the victims of hacking, like the Adult Friend Finder website, or Target, the distribution group. The thieves didn’t access to social insurance numbers, or driving licensing though.

This attack comes only to strengthen the necessity for companies to consider in their security strategy all the flaws likely to serve as entrance to cybercriminals.

The 3 most common DNS attacks and how to defeat them

The 3 most common DNS attacks and how to defeat them

In October 2016, many popular websites like Amazon, Twitter, Netflix and Spotify have become unavailable to millions web users in the United Sates, during almost 10 hours, i.e. an eternity. The cause, one of the most powerful attacks of Internet history on Dyn’s DNS services, a major actor in this sector.

Other companies like Google, The New York Times and many banks have also been the victims of different kinds of attacks aiming at the DNS, the last few years, and if in many companies, the DNS stays forgotten, things are evolving towards awareness forced by these many attacks.

Attack #1: DNS cache poisoning and spoofing

The aim of DNS poisoning is to take web users towards a scam website. For example, a user enters gmail.com in their web browser with the objective to consult their mailbox. The DNS having been poisoned, it’s not the gmail.com page which is displayed but a scam page chosen by the criminal, in order, for example, to retrieve the email box accesses. The users entering the correct domain name, will not see that the website they’re visiting is not the right one but a scam one.

It creates a perfect opportunity for the cybercriminals to use phishing methods in order to steal information, either identification information or credit card information from unsuspicious victims. The attack can be destructive, depending on many factors, the attacker’s intention and the DNS poisoning impact.

How are the hackers making their strike? By exploiting the DNS cache system.

The DNS cache is used in all the web to accelerate the time charging and reduce the charges on DNS servers. The cache of a web document (web page, images) is used to reduce bandwidth consumption, the web server charge (tasks it carries out) or to improve the consultation speed of the browser use. A web cache keeps documents copies transiting through its way. Once a system requests to the DNS server and receives an answer, it records information in a local cache for a faster reference, in a given time, without having to search the information. The cache can answer to past requests based on its copies, without using the original web server.

This approach is used around the web in a regular way and in chain. The DNS server records are used to cache records on another DNS. This server is used to cache DNS records on network systems like rooters. These records are used to create caches on local machines.

DNS poisoning arrives when one of its caches is compromise.

For example, if a cache on a network rooter is compromised, then anyone who uses it can be misdirected towards a fraudulent website. The false records of DNS is branched to the DNS caches on the machine of each user.

This attack can also target the high links of the chain. For example, a major DNS server can be compromised. It can damage DNS servers’ caches managed by the Internet services providers. The “poison” can impact on the systems and peripheral networking of their customers, which allows to forward millions of persons towards fraudulent websites.

Does it seem crazy to you? In 2010, many American web users couldn’t access websites like Facebook and YouTube, because a DNS server of a high level internet services provider has accidently retrieved the records of the Chinese big firewall (Chinese Government blocked the accesses to these websites).

The antidote to this poison

The DNS cache poisoning is very difficult to detect. It can last until the TTL (time to live – validity time of a request in cache) expires on the cache data or an administrator realizes it and resolves the problem. Depending on the TTL duration, servers can take some days before resolving the problem by themselves.

The best methods to prevent an attack by DNS cache poisoning include the regular update of the program, the reduction of TTL times and the regular suppression of DNS caches of local machines and network systems.

For the registries that allow it, the implement of DNSSEC is the best solution in order to sign domain names’ zones on all the chain and make impossible a cache poisoning attack.

Attack #2: Attack by DNS amplification (of DDoS type)

Attacks by DNS amplification are not threats against DNS systems. Instead of this, they exploit the open nature of DNS services to reinforce the power of the attacks by distributed denial of services (DDoS). These attacks aren’t the lesser known, targeting for example well known websites like BBC, Microsoft, Sony…

Hold on and amplify

DDoS attacks generally occur with the help of a botnet. The attacker uses a network of computers infected by malwares to send mass traffic towards the target, like a server. The purpose is to surcharge the target and slow it or crash it.

Attacks by amplification add more power. Instead of directly sending traffic from a botnet to a victim, the botnet sends requests to other systems. These systems answer by sending more important traffic volume to the victim.

Attacks by DNS amplification are the perfect examples. The attackers use a botnet to send thousands of search requests to open DNS servers. The requests have a fake source address and are set up to maximize data quantity sent back by each DNS server.

The result: an attacker sends relatively restrained quantities of traffic from a botnet and generates traffic volumes proportionally superior or “amplified” of DNS servers. The amplified traffic is directed towards a victim which causes the system’s breakdown.

Detect and defend ourselves

Some firewalls can be set up to recognize and stop the DDoS attacks as they occur by deleting artificial packages trying to flood the systems on the network.

Another way to fight against these DDoS attacks consists in hosting your architecture on many servers. This way, if a server is surcharged, another one will always be available. If the attack is weak, the IP addresses of traffic sending can be blocked. Furthermore, a rise of the server’s bandwidth can allow it to absorb an attack.

Many dedicated solutions also exist, conceived exclusively to fight against DDoS attacks.

Attack #3: DDoS attack on DNS

DDoS attacks can be used against many systems types. It includes the DNS server. A successful DDoS attack against DNS server can cause a breakdown, which makes the users unable to surf the web. (Note: users are susceptible to continue to reach websites they have recently visited, by supposing that the DNS record is registered in a local cache.)

This is what happened to Dyn’s DNS services, as described at the beginning of this article. The DDoS attack has surcharged the DNS infrastructures that prevents millions of persons to access principal websites which domain names were hosted on.

How to defend yourself against these attacks? It all depends on your DNS configuration.

For example, do you host your DNS server? In this case, there exist measures that you can take to protect it, by updating the last patches and by only allowing local computers to access it.

Are you perhaps trying to reach the attacked DNS server? In this case, it will probably be hard for you to connect. That’s why, it’s wise to set up your systems to rely on more than one DNS server. This way, if the principal server doesn’t answer anymore, a backup server will be available.

Predict and reduce the attacks

DNS server attacks are a major risk of security for the network and have to be taken seriously. Companies, hosts and Internet services providers, implement backup measures to prevent and reduce the effects of this kind of attacks when they are the victims.

Following these attacks, ICANN has highlighted more strongly than ever the necessity to use the DNSSEC protocol to sign each DNS request with a certified signature, by ensuring that way the authenticity. This technology’s disadvantage is that it has to be implemented at every stages of DNS protocol in order to operate properly – which arrives slowly but surely.

Opt for hosted infrastructures and maintained by DNS experts. Make sure that the network is anycast (multiple points of presence distributed around the world or at least on your influence zones), beneficiates of anti-DDoS filter and offers you supplementary security solutions like DNSSEC but also failover, to integrate the DNS in your PCA and PRA.

Nameshield has its own DNS Premium infrastructure to answer to their customers’ needs. This infrastructure answers in particular to (even exceeds) all ANSSI prerequisites. The DNS Premium solution is integrated in the scope of our ISO 27001 certification.

Don’t hesitate to contact us for all questions regarding cyberattacks.

DNS – the big forgotten of Internet

DNS continues to be one of the most targeted Internet services, and it remains the Achilles heel of global Internet infrastructure. DNS was not only the most heavily abused protocol for reflection/amplification DDoS attacks this year, but an attack targeting a specific DNS provider was also the cause of the most widespread Internet outage of 2016 (Note: attack on the provider Dyn, which caused for about ten hours, the inaccessibility of a big part of Internet in the USA, particularly impacting Twitter, Ebay, Netflix, Amazon, Paypal… in October 2016).”

Arbor Network Infrastructure Security Report – June 2017

But what is the DNS?

DNS – the big forgotten of Internet

Because the human being is more apt to remember a name than a number, and because this is even more true for going on a website, between a domain name and an IP address, the human being, in order to simplify their life, have created the DNS: Domain Name System (or service).

For example: “I want to go on Google.com, my browser will ask the DNS what the IP address of the web server hosting google.com is, it will obtain it, then go on it and download the page.”

The DNS is a public database, decentralized and distributed, which associates domain names to IP addresses. It exists since 1985. It’s a part we can qualify as Internet infrastructure, essential to operate… and yet the DNS is invisible to the user.

The DNS has been massively adopted because it’s practical. It simplifies the user’s life and allows them to easily identify, differentiate, locate, memorize and transmit the domain name of a website associated to a brand. It has also been adopted on the other side of the mirror by its networks administrators to identify and differentiate servers, it is even more true with IPv6, with hosts multiplication and the arrival of the all connected. The DNS allows them, last but not least, to have the possibility to change servers and IP addresses in all transparency for the web user.

The DNS is omnipresent within the Internet. Everyone should be able to have access to it, if not, the Web would not operate anymore. This is what has happened in 2016 to our American compatriots, who had to do without Twitter or frenetically buying during almost 10 hours. The lost profit regarding revenue and impact on the brand image of the impacted companies have been significant.

But as it is invisible, everyone tends to forget it… and to realize it when it’s too late.

Strategic services relying on the DNS and the associated risks

Websites and email are two major services which systematically rely on DNS. Imagine that your website is unavailable for 1 minute, 10 minutes, 1 hour… and the consequences for your company, revenue, service discontinuity, image of the brand, customer’s loss. And what the consequences are for the absence of emails on this same period…

If these two services are the most potentially impacted, others can systematically rely on DNS:

VPN, VOIP, instant messenger… with the consequences smaller but equally regrettable for the operating of the company.

Attacks on DNS

Sadly, DNS servers are exposed to many potential attacks:

– Cache poisoning: make the DNS servers believe they receive a valid answer to their request while it is fraudulent. Once the DNS poisoned, the information in cache makes all the users vulnerable (send to a fake website).

Man in the middle: The attacker alters the DNS server(s) of the parts in order to redirect their communication to them without the parts realizing it.

DNS spoofing: redirect the web users without them knowing, towards hacked websites.

DDoS: DNS are more and more targeted by DDoS attacks, in order to saturate them and prevent them to ensure the resolution of the company’s key services.

And all these attacks have the same consequences: hijack or stop the companies ‘traffic.

The big forgotten

From the user’s point of view, the DNS doesn’t exist, they use the naming system of domain names to navigate and send emails, they have only one need: that it works.

From the company’s side, the problem is different, it is usually a lack of information, a lack of conscience of the DNS importance and the consequences of a service breakdown.

In most of the cases, companies do not really pay attention. They will use an important budget to register and manage domain names, to rise their visibility and protect their brands, but will not linger on DNS servers’ strength at their disposal from their provider.

The good practices to implement: having first rate DNS infrastructure

DNS the big forgotten - DNS availability time

First of all, consider whether your strategic domain names already beneficiate from a particular attention from the DNS infrastructure. Are called strategic, all domain names on which rely the key services traffic of the company: web sites, email, VPN, instant messenger…

To gain its own DNS infrastructure is a solution which presents advantages of flexibility and control, but the acquisition cost, management and maintaining on one side, complexity and necessary knowledge on the other, are often crippling or badly evaluated. It’s usually easier to go for an extern DNS infrastructure, managed by a registrar, host or specialized provider. It is then appropriate to check which availability annual rate is ensured and how it relies on the good practice for a maximum availability.

To ensure a high availability to your Internet services, it’s essential to choose a DNS solution highly available which offers:

– Necessarily functionalities to a DNS intensive use;

– A network of anycast type to reduce the DNS resolution time and ensure an optimal access time to your websites.

– A DNS infrastructure secured and staying available even in case of attack.

– Key functionalities like : GeoIP, Failover, Registry lock, DNSSEC, anti-DDoS smart filter

Conclusion

The DNS is not visible but is everywhere, it ensures the access to our key services thanks to the resolution of your strategic domain names, it is potentially exposed to many attacks with disastrous consequences and it lacks too often attention from companies. So.. Don’t forget about it and if necessary, talk about it with your Nameshield partner.

Some movement in the SSL’s world: Digicert acquires Symantec’s certificates activity

Digicert acquires Symantec’s certificates activity

On Wednesday, August 2nd, Digicert announced the acquisition of Symantec’s Website Security Business branch (including SSL business, and some other services). It’s the direct consequence of the conflict opposing Symantec to Google for a few months.

Digicert acquires Symantec’s certificates activity
DigiCert’s Twitter account

You have certainly already heard about this disagreement opposing two companies on a certain number of certificates issued by Symantec and the possible loss of trust towards these certificates in the next versions of Chrome. Many information and dates have been flowing on this subject, sometimes contradictory, it can be sensitive to evaluate the impact on your own certificates.

Nameshield as a Symantec’s Platinum partner, has followed very closely the development of this case to ensure that its customers and partners don’t risk to be impacted and suffer from a loss of trust within their browsers. The very latest developments of this case lead us to communicate the following important information:

What happened?

Google and Symantec had a dispute in 2015, Symantec’s teams taking for example certificates often based on the CN google.com, by really issuing them to delete them afterwards. It was objectively a mistake and Google has sanctioned Symantec by making compulsory the subscription of all certificates within the Certificate Transparency base, which since became the market standard and a mandatory for all Certification Authorities. This decision was effective on June 1st, 2016.

At the beginning of 2017, Google and Mozilla announced the discovery of 127 Symantec certificates with irregularities, leading to a thorough investigation from Google, which would have found nearly 30 000 impacted certificates. Google decided to severely sanction Symantec by reducing the certificates’ duration to 9 months and by deleting the EV status for Symantec certificates in a very short period. Symantec has immediately reacted by sanctioning 4 partners who were at the roots of the errors. Many discussions between the two groups, and with many important actors of the industry, took place since March 2017. A part of these publications, proposals and counter-proposals has created confusion.

These different discussions have led Google and Symantec to an agreement on a method and a transition calendar towards a new PKI infrastructure for Symantec. Google officially communicated on this subject on Friday, July 28th. This communication can be consulted here.

Symantec is committed to create a new PKI infrastructure in collaboration with a third party to prove its good faith, answer to the transparency requirements of Google and maintain the high degree of trust which has always benefited the group from the web users. This infrastructure change will take place on December 1st, 2017 and will require the replacement (or if any, the renewal) of all the existing certificates for Symantec brands, Thawte, Geotrust and RapidSSL. This extended deadline will allow a smooth transition, without impact on web users.

Since August 2nd, we know that this trusted third party will thus be Digicert.

What Calendar?

Google distinguishes Symantec certificates issued before June 1st, 2016 from those issued after this date (Mandatory subscription in Certificate Transparency). The loss of trust in these two categories of certificates will arrive through two different versions of Chrome, hence the following calendar:

– Category 1: Certificates issued before June 1st, 2016, will have to be replaced (or renewed*) between December 1st, 2017 and March 15th, 2018 (arrival of the beta Chrome 66)

– Category 2: Certificates issued between June 1st, 2016 and November 30th, 2017, will have to be replaced (or renewed*) between December 1st, 2017 and September 13th, 2018 (beta Chrome 70 arrival).

The eventual emergency communicated by the different market actors is therefore not relevant.

*anticipated renewal: a renewal can be done until 90 days before the expiration date of a certificate, without penalizing the duration of the new issued certificate.

Are you impacted?

Yes you are, if you dispose of certificates issued with one of Symantec brands (Symantec, Thawte, Geotrust, RapidSSL) through Nameshield or other providers with whom you would be working. All that remains is to distribute them in the two mentioned categories. We could help you identify the eventual impacted certificates and their distribution in the right categories, in order to plan the actions to carry out from December 1st, 2017.

And Digicert in all this?

Digicert is an American company, of which the actual market share represents 2.2% of the world market, based on the last report of W3tech. It’s a company renowned for the work quality of its authentication team and its conformity with the CAB forum’s Baseline Requirements. Digicert is regularly growing for several years on serious values and manages certificates portfolios of very important companies and websites around the World.

Digicert will become a major actor of the certificates market, by taking the 14% of the global market shares of Symantec. More interesting, the 40% of market shares on EV certificates and 30% on OV certificates which represents Symantec.

On paper, this acquisition is good news for all the Symantec customers. It’s a guarantee of continuity in the quality of provided services. It’s the guarantee of a successful transition towards a new PKI infrastructure requested by Google. It remains to monitor Digicert capacity to respect the calendar imposed by Google, we will closely monitor this.

What does Nameshield think of this?

Nameshield trusts Symantec and its teams for several years. On one hand, for its quality of service, which allows us to provide you a service of first level and on the other hand for the brand image and the trust created by this group to the web users. The management of this Google/Symantec crisis doesn’t question the trust we have in this partner, and whose support remains irreproachable.

Furthermore, we were for a few months, in relation with Digicert to extend our solutions portfolio, we welcome this acquisition announcement like a positive news for our customers and partners, by being confident on the continuity of the services we could offer you. It means that the trust you place in us is primordial and if you want to move in a different direction, Nameshield remains at your service to propose alternatives to you.

Nameshield: The first French registrar certified ISO 27001 on all its registrar activity

Nameshield's ISO 27001 certification

 

 

Nameshield is proud to announce its ISO 27001 certification on all its registrar activity, the product of many months of work.

Why the ISO 27001 certification?

Since its creation, 23 years ago, Nameshield has taken to heart to provide to its customers the best services under conditions of optimal security. By choosing the ISO 27001 standard, this constant care given to all our services is now certified by a competent authority.

The impressive rise of the occurrence and the force of the cybercriminal attacks has comforted the founder and CEO of Nameshield, Jean-Paul Béchu, in his determination to propose to all our users an ISO 27001 certification on all our registrar activity.

Today, it’s frequent that cybercriminals attack services providers in order to reach indirectly their final targets. And if our Security Officer of Information System monitored already the security of our infrastructure, the ISO 27001 reinforces the requirements.

If Nameshield has engaged in this process, the result of an important investment, human and financial, it’s because it’s essential for us to demonstrate and certify the dimension of our engagement in term of security.

To be certified ISO 27001 is to ensure our customers and partners that the security of the Information systems is completely integrated and that Nameshield is committed to a process of constant improvement requiring specific resources, which we have chosen to deploy.

The certification confirms the competence of Nameshield’s employees and their expertise in the protection of critical information.

 

What is the ISO 27001 certification?

ISO 27001 is an international standard which describes the requirements for the establishment of an Information security Management System. This one is intended to choose the security measures to set up in order to ensure the protection of sensitive goods of a company on a defined perimeter. In the case of Nameshield, it covers all of its registrar activity.

At a higher level, the ISO 27001 standard requires that the managers of the company are involved in the cyber defense. In parallel, a steering committee follows the implementation of the new arrangements respecting the standard.

An audit carried out by LRQA, the World Leader of the certification of value added Management systems, allows us to deploy our security measures and to become the first French registration office to be certified on the complete perimeter of its registrar activity.

Nameshield, your trusted partner.

 

Cyber-blurring: the strategy used by Macron’s digital team to face cyberattacks

Cyber-blurring - the strategy used by Macron’s digital team
Photo : www.gouvernement.fr

 

May the 5th , 2017, two hours before the end of 2017 presidential campaign, thousands of documents owned by the campaign team of the candidate Emmanuel Macron have been leaked and have been made public on American forum 4Chan, relayed by Wikileaks. Social media have played an important role in the attack and content diffusion: internal discussion of the political party, briefing notes, pictures, bills, accounting, which represent 9 gigaoctets of hacked data.

Since the beginning of the presidential campaign, it wasn’t the first attack faced by the team of En Marche’s candidate.  Alerted of a potential attack a long time ago, they have set up a cyber-blurring strategy to defend themselves. This method creates dozens of false documents (false emails, false passwords, false accounts) trying to slow down hackers’ work. This strategy is often used in the banking field to protect their customers. (This diversion method is also called digital blurring.)

 

L'Express Twitter account - Cyber-blurring: the strategy used by Macron’s digital team to face cyberattacks
L’Express Twitter account

 

Even if Mounir Mahjoubi, digital director of the En Marche campaign, thinks to have slowed down the hackers’ job with this cyber-blurring method, despite these measures, the attack was not avoided.

The hackers didn’t ask for money in exchange of the documents publishing. These documents which are not compromising for the Emmanuel Macron’s team, were not monetizable because the hackers would have to sort out 9 gigaoctets of data in a few period of time.

Consequences are few on the presidential campaign and the En Marche staff was not really affected. This counterattack was well implemented.

The hackers who were against Macron, didn’t have the success desired. Nevertheless, this failure will get them to become smarter, more ingenious, less visible and better prepared for a next attack.

To be continued.

Connected objects: unavoidable in DDoS attacks?

IoT- DDoS attacks

 

Nowadays consumers use and are around connected objects. The Internet of Things (IoT) includes all connected objects like a connected refrigerator, captor, light bulb, security camera, router or even a thermostat control. Their common point? To have an IP address and to be connected to communicate.

According to the American company Gartner, connected objects will reach 20.5 billion units by 2020. We will face an impressive growth of IoT in the years to come.

China, North America and West Europe will represent 67% of IoT in 2017.

However these connected objects are spreading frequently with security flaws, which is an opportunity for DDoS attacks!

Nowadays, Distributed Denial of Service (or DDoS) attacks are frequent. For hackers, it’s quite easy to set up attacks against an unprotected target. These attacks could lead to significant financial loss for companies by disruption of service (website or email) or indirectly, by the harm caused to the target’s image (bad buzz, bad reputation…).

With the arrival of connected objects, chances to be confronted to DDoS attacks are high.

These attacks are making a service unavailable by flooding the system with requests. With the help of digital and connected objects, hackers can send a massive number of requests on one or many DNS servers. They get to remotely control our objects because of their security flaws. If the DNS servers are not protected by a strong anti-DDoS filter, then they are under the risk of not absorbing the high number of requests and as a result, won’t respond to the user’s demands anymore.

In October 2016, DYN Company, DNS service supplier had been the victim of a DDoS attack by connected devices. DNS infrastructure services had been unavailable, which then impacted on their customers’ services: Twitter, Netflix, Spotify…

Many hours offline for these web pure players have a direct impact on sales revenue. DYN affirms that “Ten billion of IP addresses were touched” by this attack.

Last week, Melbourne IT Registrar was also a victim of a DDoS attack. Some of its customers were affected by this service disruption.

We might see more powerful attacks of this kind in 2017.

In the past, attacks were done by computers, today connected devices are a real weapon. Luckily those companies have affirmed wanting to reinforce security on their connected products.

DNS is an absolute priority. It’s essential to secure his strategic domain names by using highly secured DNS, so you can have a high permanent availability.

Nameshield offers a DNS Premium solution to gain performance and assure 100% availability.

 

Let’s talk about DNSSEC

DNSSEC has taken shape, and has become essential in security process recommended by ANSSI as well as the web in general. And yet, it’s a barbaric term that is often scary as we don’t know how it works and what it’s used for. This article will focus on clarifying this term.

The Domain Name System Security Extensions is a standardized protocol of communication allowing to resolve security problems related to DNS. We will begin by a reminder of what is the DNS.

What is the DNS?

Simply put, the Domain Name System is quite like an Internet directory. It’s a service translating a domain name into IP addresses. It relies on a data base distributed to millions of machines. Humans identify, memorize and differentiate more easily names than series of numbers. The DNS has been defined and implemented in the 80’s and has become an essential element of Internet.

 

How does the DNS work?

The DNS will allow web user to inform a domain name in his web browser to access a website. The browser will then “resolve” this domain name to obtain the IP address of the web server which hosts this website and displays it. We call this the “DNS resolution”.

 

DNS resolution 

 

What are the risks related to the DNS?

If the DNS goes down, your websites and emails are going to be unavailable, which is unthinkable nowadays. Other applications can be impacted in the companies: VPN access, intranet, cloud, VOIP… all that potentially needs a names resolution to IP addresses. DNS must be protected and stay highly available.

If the DNS protocol has been created with security in mind, many security flaws of the DNS protocol have been identified since its creation. The mainly flaws of DNS have been described in the RFC 3833 published in August 2004. Queries package interception, fake answer, data corruption, DNS cache poisoning and Denial of service.

To deal with this vulnerability, DNSSEC protocol has been created.

 

DNSSEC issues

DNSSEC prevents these different attacks, particularly cache poisoning, by securing the integrity of the DNS resolution. DNSSEC issues are:

  • How to secure the data integrity and authenticate DNS (resolver, server with authority) and keep backward compatibility with the DNS at the same time.
  • How to secure access security at the resource asked to billions web users?
  • How to find a solution light enough so it won’t surcharge names servers?

 

DNSSEC process

To secure the integrity of the DNS resolution, DNSSEC develops a chain of trust that goes back to the DNS root (refer to the DNS root server image above). Data security is done by keys mechanism (KSK for Key Signing Key & ZSK for Zone Signing Key) which signs DNS records in its own zone. Public keys are sent to the corresponding register to be archived; the register being linked by DNSSEC to the root server, the chain of trust is developed. Each DNS parent zone ensures the keys authenticity of its child zones by signing them.

 

Without DNSSEC                                  With DNSSEC

DNSSEC process

DNSSEC, Nameshield and you:

DNSSEC operates like an essential protection for your strategic names, which secures DNS’ answer authenticity. It would be advisable to identify names that need to be protected. All TLDs don’t propose DNSSEC yet. Here is a list of principal TLDs that does, it can change with many more coming:

TLDs supporting DNSSEC: .fr, .com, .be, .net, .eu, .pl, .re, .pm, .yt, .wf, .tf, .info, .li, .ch, .biz, .de, .sx, .org, .se, .nl, .in, .us, .at, .nu, .la, .ac, .cz, .me, .sh, .io, .uk, .co.uk, .me.uk, .org.uk.

All news gTLDs, like .paris, .club, .xyz, .wiki, .ink, support also DNSSEC.

DNSSEC is included without supplement in Nameshield DNS Premium offer. Nameshield supports you in this process to secure your immaterial assets and manages the integrality of the DNSSEC protocol for you, from keys creation, to storage and renewal.

It’s not the only answer to set, registry lock system, DNS Premium service, SSL certificates are complementary solutions to implement, we will have the opportunity to discuss it in other articles or in the next nameshield.cafe.

 

Towards a 100% encrypted web, the new challenges of HTTPS

Between Mars, 2016 and Mars, 2017, Let’s Encrypt has issued 15 270 SSL certificates containing “PayPal” term, 14 766 of these certificates were issued for domains leading to phishing websites. It’s the result of the recent analysis led by Vincent Lynch, SSL expert.

 

Paypal fake or real

 

Lynch was closely interested in this case, after an interesting article published by Eric Lawrence (Google Chrome Security Team) in January 2017, the image above is from this article named “Certified Malice “which exposes deceitful SSL certificates and counts “only” 709 cases for PayPal and much more for big American brands: BankOfAmerica, Apple, Amazon, American Express, Chase Bank, Microsoft, Google…

What’s the impact on web users?

In January 2017, Google and Mozilla have updated their browser with Chrome 56 and Firefox 51, and a major change has appeared for web users: “Secure” and “Not secure” have appeared in the address bar.

In 2015, the initiative Let’s Encrypt, supported by big names of Internet (EFF, Mozilla, Cisco, Akamaï…) was created with the purpose of massively and freely spreading SSL certificates to the whole world. One year and a half later, Let’s Encrypt issued millions of certificates and other initiatives have followed.

Who says free, says few or no verification for delivering certificates, and an army of cybercriminals who rush towards these certificates to secure their illicit contents: phishing, malware… and show the term “secure” on their address bar. How can the random web user easily differentiate between real and fake?

For reminder, there are three verification levels for certificates allowing to show HTTPS: Domain Validation (DV) considered as low authentication, Organization Validation (OV) with high authentication and Extended Validation (EV) with strengthened authentication.

Free certificates are DV, and represent almost 90% of certificates, most of the time on “small” websites. OV certificates (9%) and EV certificates (1%) are fewer but protect almost all websites with high traffic. GAFA (Google, Apple, Facebook, Amazon), are all in OV or EV for example.

SSL Certificates - DV OV EV

The problem for web user is the lack of distinction in browsers between DV and OV certificates. These two types are shown the same way, as being “secure”, but EV certificates display the name of the certificate’s owner in the address bar.

By looking at the image at the beginning of this article, we understand easily the concern on EV for PayPal: to easily differentiate real from fake. This is the reason why Nameshield will systematically advise the use of EV for display website, in particular for their clients exposed to cybersquatting, phishing or counterfeit.

 

Two forces opposed for the future of HTTPS

Sadly, things aren’t so simple, and where logic would like to differentiate clearly between the three types of certificates, or at least two types (DV/OV), Google disagrees and wishes, on the contrary, to suppress the EV display altogether. Chris Palmer (Senior Software Engineer for Chrome) subtly confirms this point in his article published here.

Today we are in a situation where Historical Certification Authorities, Microsoft and to a smaller extent, Apple, are facing Google, Mozilla and Let’s Encrypt in a perspective resumed here:

 

Google/Mozilla/Let’s Encrypt perspective:

 

HTTP = not secure

 

HTTPS = secure

Historical Certification Authorities/ Microsoft/Apple perspective:

HTTP = not secure

HTTPS DV = no sign in the address bar

HTTPS OV = secure

HTTPS EV = company’s name in the address bar

 

Inside the higher authority of SSL, the CAB/Forum, the discussion is still opened at this moment. We can easily understand that Certification Authorities look unfavorably at the end of the visual distinction between DV/OV/EV in browsers, it’s their purpose to deliver certificates with high authentication, but is it wrong? It’s to reassure the web users by securing the identity of the website they visit.

In the opposite, Google and Let’s Encrypt don’t hesitate to say that phishing and guarantee of website content, don’t depend on Certification Authorities, and that there are other systems responsible for that (for example, Google Safe Browsing). Therefore we have to have a binary perspective: exchanges are encrypted and inviolable (= HTTPS = secure) or they aren’t (= HTTP = not secure). We can simply wonder by this perspective, which defends itself, if it’s not a semantic problem of the used term “secure” instead.

What does “secure” mean for web users? By seeing “secure” in their address bar, do they enter their login/password or credit card numbers? We can think that yes, they do, and in this case, actual risk does exist. Kirk Hall (Director Policy and Compliance – SSL, Entrust) has done a noticed intervention at the last RSA conference on this subject (if you have time, the record is here).

You can’t neglect financial industry weight and big companies which look unfavorably at the growth of fraud online risk, Google can’t ignore that.

 

How to reassure web users?

For the time being, we can only encourage you to choose Extended Validation certificates for your display websites and/or your e-shop in order to facilitate web users’ tasks and to stay informed of what’s going on on the web. To reassure and educate web users by mentioning on your website the choice you have made in security and authentication.

As you probably monitor domain name registrations on your brands, today you can also monitor certificates registrations so you can react quickly.

And as web user, when the term “secure” is mentioned in the address bar, systematically control the certificate’s details to see who the owner is.