Open security standards are essential for a secure and resilient Internet in Switzerland and protect the privacy of Swiss Internet users. The adoption rate for Internet security standards like DNSSEC, DANE and DMARC in Switzerland is still low compared to the leading countries in Europe, but there is more and more support from the Internet industry, authorities and not for profit organizations in Switzerland.
Why are open security standards so important?
The implementation of open security standards that come out of the Internet Engineering Task Force (IETF), reduce the attack surface of the domain/service owner. But even more important, a growing implementation rate reduces the attack surface of the internet as a whole and makes the life of cyber criminals and state actors more challenging. Open security standards provide different mechanisms to secure our communication on the internet, most important encryption and authentication. Encryption keeps our communication on the internet confidential and prevents third parties from reading our emails and tracking on which web sites users spend their time. Authentication allows us to identify and authenticate our communications partners, it makes sure that we are not on a fake website or send emails or our login credentials to a rogue email server.
To allow protocols to be secured globally, most open security standards are developed by the IETF. Unfortunately standardization is essential for a global deployment, but not enough. This is why the Internet Society (ISOC) has started the Open Standards Everywhere project.
Recommendation by the Swiss National Security Center (NCSC)
The Swiss Government Computer Emergency Response Team (Govcert) has recently conducted a survey on the “Security of the Swiss Domain Landscape” and looked at the implementation of different security standards in Switzerland. The recommendations are clear towards the implementation of DNS based security standards. Govcert also points out that the decision is up to the domain holder and can be difficult.
So what makes it so hard to implement encryption and authentication on the Internet? There are several reasons. One is complexity. But it’s also the fact that there is no single standard that solves all the problems. There are several standards that secure the unprotected standards for DNS, email and the web. Every single one has to be implemented on all platforms that are currently in use, and most of them were not designed to support security when they first came into service. Here is an incomplete list of the most important open security standards:
DNS Security (DNSSEC)
The Domain Name System Security Extension (DNSSEC) is an essential extension to the Domain Name System making sure that DNS answers can be validated for correctness. As DNS is the foundation for all Web and Email Traffic it helps to make sure that your browser finds the website of your bank and your emails are delivered to the right server, preventing hijacking of this traffic at the DNS level. Currently about 6% of all .ch Domain names are secured with DNSSEC, but just recently, hostpoint, one of the major registrars and web hosters in Switzerland has announced to support DNSSEC for its hosting customers. It is expected that this will drive up the rate of signed .ch domains further. Thanks to a 63% DNSSEC validation rate in Switzerland, the owners of these domains and their users will immediately benefit from hostpoints offer if the domain owner enables DNSSEC.
Email Transport Encryption with DANE
90% of the top 1000 .ch domains use STARTTLS to encrypt emails while in transit from the sending mail server to the receiving one. The problem here is that this is only opportunistic encryption, the sending mailserver doesn’t validate the identity of the receiving email server, leaving this communication open for man in the middle attacks. The DNS-based Authentication of Named Entities (DANE) is a technology that, if used for mail server, allows the sending mail server to authenticate the receiving mail server and encrypt emails with the right key. The Swiss hosters hostpoint, infomaniak, netzone, csti und protonmail all support DANE and automatically use it for email encryption for their customers that use their email servers. Domain owners that use their email services should turn on DNSSEC to fully benefit from this technology with signing their zone and with that their MX record, used for mail exchange. DANE is also seeing more attention with Microsoft announcing to support it for their office 365 Exchange Online end of 2020.
Email Authentication (SPF/DKIM/DMARC)
Email is the number 1 attack vector for most successful attacks on the Internet. One big problem is, that it is hard for email recipients to identify and authenticate the sender of an email. Spoofing the sender domain is easy if no countermeasures are taken. The best possible protection from email domain spoofing is the Domain-based Message Authentication, Reporting and Conformance (DMARC) that authenticates the sender domain of an email. DMARC requires two other security standards, SPF and DKIM to work. While 2.9% of all ch domains have a DMARC record, 9% of the top 1000 .ch domains are protected with this technology. It is interesting that the adoption for DMARC is higher with the more “important” and known domains. The question why cannot be easily answered, but known brands are more often used for phishing, so maybe they also need a better protection.
Email Encryption and Authentication (PGP/pEp)
Unfortunately Email encryption on the transport level, and authentication on the domain level does not always give enough protection. To authenticate the sender completely and also protect emails with an end to end encryption there are two standards. One is SMIME that relies on X509 certificates, the other is Pretty good Privacy (PGP). While SMIME is more used on the corporate level, PGP is based on individual keys. PGP was used with technical savy users, but as it was not easy to use it never got a wide adoption. The Swiss pEp foundation has the goal to change that and develops software for Thunderbird and Outlook to allow easy email encryption by automating key generation and exchange. Users that send emails with confidential or sensitive information and want to protect the information also in their inbox, now have another option that is easy to use, thanks to pEp.
DNS over TLS/HTTP (DoT and DoH)
Besides security, Internet users are also more aware of protecting their privacy online. As the DNS requests of Internet users to the recursive resolvers disclose every website a user is looking up in his web browser, the DNS protocol got some extensions to protect privacy. Most important are DNS over TLS (DoT) and DNS over HTTP (DoH). They both encrypt the traffic between the users computer/phone and the recursive resolver to prevent eavesdropping. Implementers here are ISPs that operate recursive DNS (e.g. SWITCH Public DNS) but also so called “public resolvers” that run in the cloud and are operated by global operators like Google, cloudflare or Quad9.
What you can do?
If you want to hear more about open security standards you can join the Swiss Web Security Day, where Dan York from ISOC is giving a presentation about the Open Standards Everywhere Project. Participation for this online event is free, please register here: https://www.eventbrite.de/e/swiss-web-security-day-2020-tickets-97289416263
Are you confused by the many different security standards and wonder how your domain and email is protected? You can test it yourself here at hardenize.
SWITCH Security-Blog 