I've been writing about DNSSEC and the many security vulnerabilities of the Internet for over a year. It has been frustrating to see the security situation worsen when a solution - DNSSEC - has been adopted at such a slow pace.
I think part of the reason for slow adoption is lack of awareness. Another is that DNSSEC is not apparent to users. But that is about to change.
Mozilla Firefox now offers a browser add-on that adds a key to your navigation window if the site is signed with DNSSEC. The add-on can be found here. This provides a visual clue to prevent DNS redirection, man-in-the-middle attacks, and cache poisoning from going undetected.
The key is green if the site is authenticated using DNSSEC. This is what the .ORG site PIR.org, which has been signed since last June, looks like:
And of course my company site, the only DNSSEC vendor other than open source ISC to have deployed DNSSEC:
The green key indicates that this site is signed by a valid signature and the Chain of Trust is validated by the resolving DNS server - it is authenticated. Click here to see why this is important.
The key is orange if the key is signed by a valid DNSSEC signature but the chain of trust is not validated by the resolving DNS server. This could indicate a partial implementation of DNSSEC, but you cannot trust the DNS answer. So I would get out of there.
The key is red if the domain is signed by an invalid DNSSEC signature. This could be caused by the DNSSEC signatures expiring, or the IP address of the signature does not match the IP address of the site. Enter at your own risk! I'd cancel my browser session if I were you.
Clicking on the keys provides more information about the site's security state. But the simple rule is "if it ain't green don't trust it". Sites that have not adopted DNSSEC will not have a key so you should be cautious. If the site is important to you it would be worth inquiring about their DNSSEC adoption status.
This free Mozilla add-on was developed by Ondrej Sury and Zbynek Michl of CZ.NIC, the .cz domain registry in the Czech Republic. I met Ondrej a year and a half ago at Internet Dagarna in Stockholm. Cz.nic is a leader in DNSSEC and ENUM adoption and I would like to see them get some credit for developing a very worthwhile application that I believe will become ubiquitous for internet users.
After all, why would you visit a site that was not authenticated by DNSSEC (and therefore could be a fake site or could allow for a man in the middle attack) if a competitors site was authenticated? Why would you bank online with an institution that was not authenticating their site - a trivial expense for the bank?
Comments