Feds tighten security on .gov

When you file your taxes online, you want to be sure that the Web site you visit -- www.irs.gov -- is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency.

That’s because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet’s DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites.

DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.  

(See "Spammers, crammers, fraudsters and identity stealers: The FTC’s top 2008 cases".) 

With DNSSEC deployed, federal Web sites “are less prone to be hacked into, and it means they can offer their services with greater assurances to the public,’’ says Leslie Daigle, Chief Internet Technology Officer for the Internet Society. "DNSSEC means more confidence in government online services.’’

The U.S.’s government DNSSEC mandate is "significant,’’ says Olaf Kolkman, a DNSSEC expert and director of NLnet Labs, a nonprofit R&D foundation in the Netherlands. "First, the tool developers will jump in because there is the U.S. government as a market….Second, there is suddenly a significant infrastructure to validate against.’’

Click to see: Chart of leading DNS product vendors

The White House DNSSEC mandate comes just weeks after the July disclosure of one of the most serious DNS bugs ever found. The Kaminsky bug -- named after security researcher Dan Kaminsky who discovered it -- allows for cache poisoning attacks, where a hacker redirects traffic from a legitimate Web site to a fake Web one without the user knowing. (See "How the feds are locking down their networks.")

White House officials said their DNSSEC mandate has been in the works since February 2003, when the Bush Administration released its National Strategy to Secure Cyberspace.  The cybersecurity strategy, which was prompted by the Sept. 11, 2001, terrorist attacks, included the goal of securing the DNS.

Under a separate, but related, cybersecurity program called the Trusted Internet Connection initiative, the U.S. government is reducing the number of external Internet connections it operates from more than 8,000 to less than 100.

The DNSSEC mandate "was issued as a consequence of agencies having completed the initial consolidation of external network connectivity [through the Trusted Internet Connection initiative],’’ said Karen Evans, administrator for the Office of E-Government and Information Technology at the Office of Management and Budget (OMB), in a statement. "The Kaminsky DNS bug was not a factor.’’

DNS hardware and software vendors that are scrambling to add DNSSEC capabilities to their products predict the one-two punch of the Kaminsky bug followed by the White House mandate will drive DNSSEC deployment across the Internet.