Page last updated at 09:01 GMT, Tuesday, 15 June 2010 10:01 UK

Technology milestone heralds a more secure internet

By Maggie Shiels
Technology reporter, BBC News, Silicon Valley

Computer keyboard, BBC
The system could close the loophole that redirects web users to fake sites

Moves to make the web's address system more secure will take a major step forward next month.

In the planning for a decade, the Domain Name System Security Extentions, DNSSEC, will help protect users from cyber attacks such as phishing and spam.

The security layer will be added to the web's address system in July.

It should close the loophole that allows hackers to intercept DNS data and redirect users to fake websites.

The Domain Name System (DNS) was created in 1984 to allow computers to 'read' net domain names but it had no security features, offering rich possibilities for criminals.

"DNSSEC will improve the security of the web so we can have more confidence in the activities on the network as it increasingly becomes part of our working lives and home lives," said Leslie Daigle the chief internet technology officer at the Internet Society, which is the home of the standards body that developed DNSSEC.

The new security extension, DNSSEC, basically works by using cryptography and digital signatures to verify each query and ensure that each response that is made has not been compromised or intercepted.

Cyber-criminals are increasingly using false DNS servers to intercept legitimate web addresses and redirect users to fake sites, which steal personal information.

"It acts like tamper-proof packaging to make sure if you type in the website name of your bank that you actually get to the machine that your bank wants you to use and not to a machine that looks like that of your bank but is operated by those who want to take you to a different website to steal your log-in details," said Ms Daigle.

'Security puzzle'

The reason this move is being seen as a "technological milestone" in shoring up the web is because, although not visible to most users, DNS is an essential part of the way the internet works.

It acts as the net's address system or phone book by translating website addresses like into the numerical equivalents preferred by machines.

The DNSSEC protocol is being overseen by the Internet Corporation for Assigned Names and Numbers (Icann), which is the administrative body behind net addresses.

It is working with domain-name registrars and root nameservers - which are at the heart of translating web addresses into IP addresses - to make sure the process runs smoothly.

However Ms Daigle told the BBC, DNSSEC cannot solve all the evils perpetrated by cyber-criminals and best practices that people have been using should not be abandoned.

"It is a piece of the security puzzle and while it does build better security around everything people are doing on the internet, users should not become lax in how they protect themselves online," she said.


One of the greatest critics of the security of the Domain Name System has been Dan Kaminsky, chief scientist at security firm Recursion Ventures.

In 2008 he went public with a flaw that he found in the DNS which meant the internet was at the mercy of phishing gangs who could redirect internet users to fake banks sites to steal their personal information.

This issue became known as the "Kaminsky bug" and is often referred to as cache poisoning.

Mr Kaminsky told the BBC that even though he was initially sceptical of the efficacy of DNSSEC, he has examined the code carefully and has become a recent convert having declared it "awesome" in its ability to provide a "safer and more secure internet".

"The basic flaw of the internet is one of trust and this will revolutionise the way we use the internet.

"In my mind the biggest benefit we will get concerns one of the biggest embarrassments in the security sector and that is secure email where it will be truly possible to know that when you get an email from your bank, it really is your bank," said Mr Kaminsky.

The Internet Engineering Task Force's Ms Daigle agreed and called DNSSEC "an essential building block for building a larger internet future" that will allow us to take on "bigger activities and carry out new applications".

Print Sponsor

To disclose or not to disclose?
22 Jul 08 |  Technology
Attacks begin on net address flaw
25 Jul 08 |  Technology
Internet addresses set for change
30 Oct 09 |  Technology
Web to be truly worldwide at last
30 Oct 09 |  Asia-Pacific
Users react to web address changes
30 Oct 09 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific