Fred Avolio's Weblog
musings on security and other topics topics archives
September
Sun Mon Tue Wed Thu Fri Sat
 
27
       
most recent headlines other links


Listed on Blogwise
[Valid RSS]

Tue, 23 Sep 2003
Domain Redirect Fuss

It’s been in the news. Maybe you’ve read it. It’s been the topic of various Internet mailing lists. Maybe you wonder “What’s all the fuss?” Let’s look at it allegorically.

What if the technology existed for someone to intercept all telephone calls in an exchange not owned by anyone else? My phone number is 410-309-6910 (6911 is fax). Suppose no one actually owns 6912 and 6919. If someone misdials my number they’ll get someone else. Maybe that someone will have a recording that says simply “Press ‘1’ to send a fax. Press ‘2’ to talk to an attendant.” What is the harm? Faxes meant for me could be easily misdirected. Calls intended for me could be answered by someone who might redirect business to a competitor. I lose the potential client. The potential client loses me. Maybe.

Check it out. Click on www.avolio.cm. (Note, “com” is misspelled.) You get an error. Now, Click on www.aviolo.com. My domain name is misspelled. But Verisign “owns” .com, and so helpfully intercepts it. Not as bad as whitehouse.com instead of whitehouse.gov. (And I purposely do not include the links… the “.com” address is a porn site.) It even suggests you may have meant my site. So, what’s the fuss?

The main problem – from a security perspective, anyway – is that DNS information (the Domain Name System, among other services, translates www.avolio.com to its actual IP address, for example) is expected to be accurate. E-mail servers, such as mine, depend on getting a response of “no such name” to make antispam decisions. Again, think of the above telephone allegory. E-mail directed to me should get to me. E-mail directed to fred@aviolo.com should, for now, bounce. What if someone claimed to be the mail server for “*.com?” That is effectively what Verisign is doing for .com and .net.

DNS depends on correct DNS responses, not responses geared to make the life of web surfers easier.

Comment on this.
[/security] permanent link