ICANN: Meddling with DNS poses security problem

The interception of Internet traffic to snoop on phone calls or track surfers' behavior is a hot topic -- but what's keeping members of ICANN's Security and Stability Advisory Committee up at night is the interception of traffic to and from sites that don't even exist. They explained why in a session at ICANN's public meeting in Paris on Monday.

There are still a few possible domain names out there that have not yet been registered, and if you accidentally type one of them into your browser's address bar, you ought to receive an error message from the Domain Name System (DNS) signalling that the domain does not exist.

What happens to those error messages is of concern to SSAC's members, who advise on the security and integrity of the domain name systems that the Internet Corporation for Assigned Names and Numbers (ICANN) coordinates.

Some ISPs (Internet service providers) and domain name registrars see the error messages as a missed opportunity to "help" their customers find the site they are looking for -- and to make a little money on the side. They do this by intercepting the error messages and modifying them to point to a Web site that they control, typically carrying advertisements related to the domain name typed.

"There's a perceived $1 billion market for domain error resolution," said Dave Piscitello, ICANN's senior security technologist.

Piscitello has a whole list of reasons why ISPs and registrars should not be allowed to profit from people's typing errors in this way.

Top of his list is that they may open up security holes in users' computers: Security researcher Dan Kaminsky demonstrated in April that he could exploit the error message redirection system used by U.S. ISP Earthlink to execute his own JavaScript. Kaminsky revealed his findings when Network Solutions, a domain name registrar, began operating a similar redirection service.

Such security flaws would be bad enough if a user had typed, say, "yorubank.com" instead of "yourbank.com". But if the user had typed the address of nonexistent server "ww.yourbank.com" instead of "www.yourbank.com", an attacker could execute malicious JavaScript on the redirected page as if it came from the bank itself, perhaps stealing their credentials.

"If I were a bank I certainly wouldn't want this happening to me," said Piscitello.

Some registrars reserve the right to place advertisements on error pages, and all that domain name owners can do to prevent it is to choose a registrar that reserves no such right.

"The reason this is so pernicious is that the vast majority of people registering domains at $6.99 couldn't care less," he said.

On the ISP side, users can switch to a service provider that does not redirect -- or hope that a security problem is exposed that causes the ISP to disable its redirection service, rather than simply patch it as Earthlink did after Kaminsky's discoveries.

Although the redirection of error messages to advertisements only concerns Web sites today, Piscitello is concerned it might spread to other uses of the Internet.

"What about modification of mail records or IP telephony records?" he asked. If a VOIP operator tries to route a call to another operator and finds no user bonded to that particular address, "What's to stop me sending the call to a message with an advert or a message saying 'This wouldn't happen if you used my service?'"

"It's going to be ugly because there's a lot of money at stake," concluded Piscitello.