Keys to the internet, or DNSSEC

Today I began like any other day with a browse of google news and was amazed to see that 7 digital keys have been provided to people around the world to ‘reboot the internet’ in the event of a digital catastrophe.

Like many people, my brain went into overdrive… WTF !
So I did some digging to remove the media hype to get to the root of what this was all about.
Let me first reassure you that there is no ‘off’ button for the internet. The internet was designed to stop this kind of attack, and also stops any central point of control. That’s not to say that someone with malicious intent could not stop you from surfing to google.com though.
Think about it, when you browse to a website, you start by typing in the address into the browser. How many people actually know IP addresses of their favourite websites? So DNS is a core protocol within the current internet infrastructure. If someone was to take down every DNS root server, it would make life very uncomfortable for users worldwide, but the internet would still be functioning just as normal.
To visualise this, imagine you have a phone book with all of your contacts in there. You depend on this for being able to contact your family, friends, business contacts etc. Now say you lost that telephone book. Unless you have remembered all the telephone numbers (and if so why are you using the address book 🙂 ), you will be stuck when you try to contact your family, friends etc. This doesn’t mean that your phone has stopped working, or that someone has cut the phone lines making it impossible to contact anyone.
This is exactly the same theory as if the DNS protocol was to somehow be attacked. The servers would still be there but no-one would be able to contact them without the IP address.
So, how does this lead to the stories of ‘keys to the internet’. Well, due to some inherent problems with DNS (such as DNS man-in-the-middle, DNS spoofing..), there has been a new specification introduced called DNSSEC. This protocol allows digital signing of DNS replies to prove that they were not altered in transit and helps avoid many of the current DNS issues (think HTTPS/SSL but for DNS queries). In the event of a ‘significant disaster’ which broke the chain of trust that DNSSEC provides, there needs to be a way to re-instate this. The seven key holders all hold a smartcard with part of a cryptographic master key that would be combined and allow re-signing of the root zone and allow re-establishment of the chain of trust.
So, why all the hype about rebooting the internet?
Well, it made you visit this blog didn’t it? In my opinion that’s the whole point, it helps spread awareness of DNSSEC amongst IT professionals and the general public. The rest of the hype about ‘elders of the internet’ and ‘keyholders to the ENTIRE internet’ are just typical media hype, along with buzzwords such as ‘terrorist attack’ and ‘protect the public’.
Advertisements

XPN Shell – A python UI for exploit writers

I have just finished my latest little project, XPN Shell. This shell allows python exploit writers access to a simple shell-like environment and common CLI framework to free the programmer to do what is important, EXPLOITING :).

This is a simple python module which can be edited or imported from an exploit. I must stress this is a new project so coding is still in early stages, please feel free to email me with any feedback or improvement requests. If you do find a use for this, please let me know.

Documentation can be found by doing a ‘import shell; help(shell)’ command in python, I have tried to cover everything I could think of. There is also a ‘README’ that can be downloaded with the documentation and an example of use.

To download, please use the command ‘git pull git://github.com/xpn/xpn_shell.git’ or visit http://github.com/xpn/xpn_shell

Have fun peeps and keep me updated