$1B Market for Meddling With DNS Poses Security Problem

June 24, 2008 – 6:13 AM

The interception of Internet traffic to snoop on phone calls or track surfers’ behavior is a hot topic — but what’s keeping members of ICANN’s Security and Stability Advisory Committee up at night is the interception of traffic to and from sites that don’t even exist. They explained why in a session at ICANN’s public meeting in Paris on Monday.

There are still a few possible domain names out there that have not yet been registered, and if you accidentally type one of them into your browser’s address bar, you ought to receive an error message from the Domain Name System (DNS) signalling that the domain does not exist.

What happens to those error messages is of concern to SSAC’s members, who advise on the security and integrity of the domain name systems that the Internet Corporation for Assigned Names and Numbers (ICANN) coordinates.

Some ISPs (Internet service providers) and domain name registrars see the error messages as a missed opportunity to “help” their customers find the site they are looking for — and to make a little money on the side. They do this by intercepting the error messages and modifying them to point to a Web site that they control, typically carrying advertisements related to the domain name typed.

“There’s a perceived $1 billion market for domain error resolution,” said Dave Piscitello, ICANN’s senior security technologist.

Piscitello has a whole list of reasons why ISPs and registrars should not be allowed to profit from people’s typing errors in this way.

Top of his list is that they may open up security holes in users’ computers: Security researcher Dan Kaminsky demonstrated in April that he could exploit the error message redirection system used by U.S. ISP Earthlink to execute his own JavaScript. Kaminsky revealed his findings when Network Solutions, a domain name registrar, began operating a similar redirection service.

Such security flaws would be bad enough if a user had typed, say, “yorubank.com” instead of “yourbank.com”. But if the user had typed the address of nonexistent server “ww.yourbank.com” instead of “www.yourbank.com”, an attacker could execute malicious JavaScript on the redirected page as if it came from the bank itself, perhaps stealing their credentials.

Read the rest of the story…

You must be logged in to post a comment.