300 likes | 446 Views
Protect & Advance Your .ORG. Lance Wolak, Director of Marketing, Public Interest Registry with Special Guest, Ram Mohan – CTO for Afilias Ltd. 20 March 2008 – 3:30pm EST. Trends in the .ORG Community Domain Protection Strategies Internationalized Domain Names Are they for you?
E N D
Protect & Advance Your .ORG Lance Wolak, Director of Marketing, Public Interest Registry with Special Guest, Ram Mohan – CTO for Afilias Ltd. 20 March 2008 – 3:30pm EST
Trends in the .ORG Community Domain Protection Strategies Internationalized Domain Names Are they for you? DNS Security Securing Your Core Internet
Protect & Advance Your .ORG Trends in the .ORG community
About .ORG • One of the original top-level domains (TLDs), .ORG has become the registry of choice for organizations dedicated to serving the public interest • .ORG is where people turn to find credible information, get involved, fund causes and support advocacy.
Do You See These Trends? • Being “Green” is good again • Green has become amoniker for a larger trend, caring about people, environment, and making a difference. • Online social networks playing a key role in communications and fundraising
Do You See These Trends? Convergence and dis-intermediation in media: • Organizers can now connect and communicate directly with participants • Individuals and small organizations can perform and accomplish like large organizations One Laptop Per Child LaptopGiving.Org A growing community of people working to create a connected, educated, enlightened future for the world's most essential resource—its children. Nicholas NegroponteFounder and ChairmanOne Laptop Per Child
.ORG and Global Trends Well Represented on .ORG Green Movement / Environmental Advocacy Social Networking Corporate and Individuals “Doing Good” .ORG is considered the international brand of “Doing Good” Your .ORG address makes this international brand your brand www.makeitrightnola.org “People down here call it ‘the fight of their lives’.” - Brad PittMIR Founder
Protect & Advance Your .ORG Domain protection Strategies
Your .ORG Name Is An Asset • The value of a .ORG address is unlike that of any other domain • However many .ORG domain names expire - for a variety of reasons. • If allowed to expire, it can be taken over by another organization, and maybe not in keeping with the original owner’s intent. • The process of third parties obtaining expired domain names has become sophisticated, automated, and increasingly popular. • The consequences to the original .ORG domain holders can be serious!
Protect Your Brand andYour .ORG Identity • Consider purchasing .ORG domain names for more than just your company name: • Register a .ORG for your major products and services • Register a .ORG for your major campaigns/public service efforts • Consider the consequences if another individual or organization reserved the names: • Conflicting information presented to the public? • Damaging content presented to the public?
What To Do? • Don’t lose control of the .ORG assets - be sure to renew your domain names on schedule. • Protect your brand and trademarks through new domain name registrations • Verify protection of all your domain names
6 Steps to Verifying Protection of Your .ORG Names 1. Verify Registration of your .ORG • A simple visit to the WHOIS database at .ORG’s Web site (pir.org) is a good first step. There you can view: the name of the registrant, administrative contact, and technical contact for your .ORG domains. You can also find the name of the registrar through which your .ORG domain was registered. 2. Verify and update your .ORG Administrative Contacts • Consider making it organizational policy to regularly verify and update .ORG domain name information. 3. Check that email contact data is valid • If you can’t be reached by e-mail, it’s possible your domain name will expire without your knowledge. Therefore, it’s essential that the e-mail addresses on file with your registrar be current.
6 Steps to Verifying Protection of Your .ORG Names 4. Consolidate your domain name management • Today it’s easier than ever to transfer domain names from one registrar to another registrar, which helps simplify management of .ORG domain names. 5. Register your .ORG for the maximum term length • .ORG domain names can be registered or renewed in one transaction for up to 10 years. Consider reserving yours for the maximum period of time. • Request a Lock on your domain name • Prevent unauthorized transfer of your domain name to a third party.
Protect & Advance Your .ORG Internationalized domain names (IDN)
WHY DO YOU CARE? • For all companies, from local businesses to global enterprises, establishing a presence on the Internet is essential. • IDNs allow companies to effectively reach markets in their customers' local language. • IDNs help companies protect their online brand identity. • IDNs enable you to extend and protect your online identity in local markets around the world. • Reach your target markets in your customers' preferred language and script by eliminating the need to translate or transliterate your brand into English characters for use as an Internet address.
Securing Your Core Internet Infrastructure Using DNSSEC Protect & Advance Your .ORG Ram Mohan rmohan@afilias.info
Agenda • Getting Started • Why Care About DNS • What Can Go Wrong • A Survival Guide • Why Techies Created DNSSEC • What Can Happen Without DNSSEC • Why Should Non-Profits Care • Consequences • What You Can Do • Q&A Session
Why Care About the DNS • Do You Care About Web & Email? • DNS decides if your site can be reached • DNS determines if your email can be delivered or read • Do You Care About Outages? • DNS mismanagement can result in “Internet outages” even if your Internet connection is working • Do You Care About Security? • DNS unsecured can allow visitors to your site to be hijacked When downtime is not an option Secure DNS makes a huge difference
What The DNS Does For You • Tells machines where to go when you: • Type in a web address • Send an email Name Server Operators ISP User Cache Name Server Resolver Do I already have the answer? - Send the answer back to resolver Else, contact Domain Name Server Find the IP address Send it back Am I online? Where should I go to get my answer? - My local Internet Service Provider
Why Attack the DNS • Anti-Spam and anti-phishing technologies • Technologies that use the DNS to mitigate spam and phishing: $$$ value for the ‘Bad Guys’, stolen identity • NewsTickers, RSS feeds • Usually no source authentication but supplying false news information via a news ticker or via a news feed can have $$$ benefit for attacker • ENUM • Mapping telephone numbers to services in the DNS • As soon as there is some incentive • Adapted from: “DNS Security Technical Overview”, Russ Mundy, 2005
What Can Go Wrong • Forgery • The DNS data being returned to your ISP can be forged • Especially easy on a wireless network • Result: You are transported where you did not mean to go • Poisoning • The DNS data can be modified • Causes your ISP’s cache to have valid but wrong information on where to go • Eavesdropping • Can intercept your DNS data and just “listen” before passing on • Other things that can go wrong: • Alteration of zone data - Impersonation of master/cache - Unauthorized updates
2005 ISP Attack • In March-April 2005, users of an ISP had specific spyware, spam and pay-per-click trojans, from redirection sites • The ISP’s cache had hundreds of DNS names spoofed… • AmericanExpress.com • FedEx.com • CitiCards.com • DHL-USA.com • Sabre.com Source: Allison Mankin
DNSSEC Explained • DNSSEC is the Internet’s answer to DNS Identity Theft • It protects users from DNS attacks • It makes systems detect DNS attacks • Almost everything in DNSSEC is digitally signed • Allows authentication of the ORIGIN of the DNS data • Ensures INTEGRITY of the DNS data • Digitally signed = “Public Key Cryptography” • Secret Private Key, Open Public Key • DNS Messages are scrambled using the Private Key – the Public Key is needed to unscramble it [a.k.a. “SIGNING”] • You now know WHO sent the message (since private key is unique) • If data is MODIFIED, mangled, or otherwise compromised en-route… • The signature is no longer valid DNSSEC = DNS Security Extensions
The Chain of Trust If I trust a public key from someone, I can use that key to verify the signature … and authenticate the source • Make sure the root zone key can be trusted • Pointers in the root zone point to lower zones (com/org/info/de etc) • Each pointer is validated with the previous validated zone key • Only the key for the root zone is needed to validate all the DNSSEC keys on the Internet • How to update these keys and propagate them are not done yet
What You Can Do • Talk to your web site host provider or technical provider about “Signing your zone” with a DNSSEC key • This will automatically protect visitors to your website from being hijacked • It will increase the perception and reality of security for your organization • Sign up with PIR to become a secured DNS pioneer • Eliminate DNS identity theft • Ensure safety for your clients • Improve your branding
Technical Reading & Participation • What to read: • Introductions: www.dnssec.net • Tutorials: http://www.ripe-ncc.org/training/dnssec/material/ • How to deploy: www.dnssec-deployment.org • Other material: • http://www.nlnetlabs.nl/dnssec/ • http://www.ripe.net/disi/ • Technical Mailing Lists: • dnssec@cafax.se - operators and developers working on dnssec • namedroppers@ops.ietf.org - DNS protocol development • dnsop@cafax.se - operational DNS issues • techsec@ripe.net - European Technical Security working group • dns-wg@ripe.net - European DNS working group
Technical Details behind DNSSEC • AUTHENTICATES every set of DNS data – this is called a DNS Resource Record set, or RRs • (A records, MX records, DNAMEs, etc, etc) • Authenticates absence of DNS data • xyz.nten.org does not exist • Creates four new DNS record types • Validates using Chain Of Trust • Each answer is signed • DNSSEC: • Provides no CONFIDENTIALITY of DNS data • No protection against Denial of Service attacks • SSL, IPSec are not enough