[At-Large] IDN Variants in the market place
Karl Auerbach
karl at cavebear.com
Fri Jul 20 20:30:20 UTC 2018
There is a widespread misconception about DNS that it is somehow an
authoritative service, by which I mean that if one says "connect to
X.Y.Z that one is, in fact, going to be connected to X.Y.Z."
That misconception is partially fueled by the "authoritative answer" bit
in the DNS reply packet. That bit merely means that the DNS server that
generated the answer got the information from its own configuration
files rather than overhearing it via the kind of DNS hearsay activity
that occurs within DNS order to make DNS more efficient.
What you might notice is that the internet architecture is missing a
layer. Way back in the mid 1970's we tried to insert a layer above TCP
and UDP in which there would be an exchange of mutual identification and
credentials proving that identification. Due to security (or rather
paranoia) concerns of certain US government agencies, that layer never
made it into the internet architecture. And, because such a layer tends
to imply a universal authority over the issuance of those credentials,
there was pushback by those who favored a more diffuse internet with
less centralization.
Had that layer been present, then when one tries to connect to "X.com"
after that connection had been established at the TCP level there would
have been an exchange that would prove whether the connection had
reached the desired "X.com" or a homographic (typically with intent to
deceive) different target.
DNS is intended to be a "hinting" system, by which I mean that it gives
information that it (and you) hope is accurate but about which there are
really no guarantees, leaving security as a job for the user to perform.
We see that job being added in later years via TLS certificate chains
(which are often merely tracked back to a known certificate authority,
which is an inadequate test, but it is the test most often done.)
DNSSEC also provides tools so that one can know that the DNS data has
not been modified somewhere, but that does not change the nature of the
address information in DNS resource records being merely a hint.
DNS, because of caching, can never become give ironclad promises that
the result you get from your local DNS resolver is utterly accurate.
And with the rise of geo-IP based DNS mappings, the definition of
"accurate" becomes somewhat contextual.
The real answer to homographic deceptions is not really within the realm
of DNS itself, or within ICANN but, rather, would be through the
adoption (at long last) of a proper layer of mutual identification and
authentication either within the transport protocols or between them and
the applications.
None of this is easy - just look at how SSL evolved, and grew, to become
TLS 1.1, 1.2, 1.3 ... And nobody has ever said that DNSSEC is simple.
--karl--
More information about the At-Large
mailing list