Stories
Slash Boxes
Comments

SoylentNews is people

The DNS Was Designed for Diversity, but Site Admins Aren't Buying

posted by CoolHand on Saturday March 03 2018, @02:56PM   Printer-friendly
from the mandating-diversity dept.

Arthur T Knackerbracket has found the following story:

The world's top eight DNS providers now control 59 per cent of name resolution for the biggest Websites - and that puts the Web at risk, according to a group of Harvard University researchers.

The group was led by Harvard's Shane Greenstein, and warned that since 2011, the "entropy" of the DNS (referring to how widely distributed it is) has fallen, becoming concentrated in "a small number of dominant cloud services companies".

That state of affairs, the group's research paper (PDF) argued, creates fragility if attackers find a weakness in those DNS services.

[...] For the namespaces they measured, the team found the top eight providers grew their market share from 24 per cent to 59 per cent from 2011 to 2017, and the top four went from 17 per cent to nearly 50 per cent.

[...] The other trend they found was that unsurprisingly, in a world awash with easy-to-use cloud services, external DNS hosting has overtaken in-house DNS servers.

For companies worried that this might leave them open to a Mirai-style botnet taking out their DNS provider, the solution is simple, the paper said.

Organisations should diversify their pool of nameservers by taking DNS management services from multiple providers, the paper said. Compared to the costs of a day's downtime, this is " a comparatively costless and therefore puzzlingly rare decision".

Original Submission

 
This discussion has been archived. No new comments can be posted.
The DNS Was Designed for Diversity, but Site Admins Aren't Buying | Log In/Create an Account | Top | 25 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by FatPhil on Sunday March 04 2018, @02:45PM (1 child)

    by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Sunday March 04 2018, @02:45PM (#647624) Homepage
    > > Encryption is largely at the mercy of incompetent or malicious certificate "authorities".

    > Oh look, someone who doesn't understand SSL or the issue of trust.

    > I can generate an SSL certificate myself and start encrypting traffic.

    Oh, look, someone who doesn't understand SSL or the issue of trust.

    You can generate your own SSL certificate, and it's indistinguishable from a SSL certificate generated by a malicious third party, as nobody knows the difference between you and Malory. And don't attempt any inane "but muh public key" response, as if you can't understand that you have a bootstrapping problem, you're more ill-equipt to take part in this discussion than you'd care to admit.

    The trust the traditional, and rightly maligned, CA's provide is that of "I can connect that identity to a bank account, or other payment mechanism, but I'm not going to let anyone know what that connection is, without a warrant". Which is pretty damn useless. But less useless than nothing.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by darkfeline on Monday March 05 2018, @05:44PM

    by darkfeline (1030) on Monday March 05 2018, @05:44PM (#648060) Homepage

    >You can generate your own SSL certificate, and it's indistinguishable from a SSL certificate generated by a malicious third party, as nobody knows the difference between you and Malory.

    So how exactly is encryption at the mercy of CAs? Not only can you or me do it, but a malicious third party can do it too. That sounds like the opposite of encryption being at the mercy of CAs to me.

    --
    Join the SDF Public Access UNIX System today!