Abstract
Domain Name System (DNS) domains became Internet-level identifiers for entities (like companies, organizations, or individuals) hosting services and sharing resources over the Internet. Domains can specify a set of security policies (such as, email and trust security policies) that should be followed by clients while accessing the resources or services represented by them. Unfortunately, in the current Internet, the policy specification and enforcement are dispersed, non-comprehensive, insecure, and difficult to manage.
In this paper, we present a comprehensive and secure metapolicy framework for enhancing the domain expressiveness on the Internet. The proposed framework allows the domain owners to specify, manage, and publish their domain-level security policies over the existing DNS infrastructure. The framework also utilizes the existing trust infrastructures (i.e., TLS and DNSSEC) for providing security. By reusing the existing infrastructures, our framework requires minimal changes and requirements for adoption. We also discuss the initial results of the measurements performed to evaluate what fraction of the current Internet can get benefits from deploying our framework. Moreover, overheads of deploying the proposed framework have been quantified and discussed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
A policy agent is a software component that processes and enforces policies. It can be implemented within a user agent (such as a browser) or within a server software that supports a given policy.
References
Alexa. Alexa Top 1 Million Websites (2017). http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
Amann, J., Gasser, O., Scheitle, Q., Brent, L., Carle, G., Holz, R.: Mission accomplished?: Https security after diginotar. In: Proceedings of the 2017 Internet Measurement Conference, pp. 325–340. ACM (2017)
Crocker, D., Hansen, T., Kucherawy, M.: DomainKeys Identified Mail (DKIM) Signatures. RFC 6376 (Internet Standard), September 2011
Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM (2008)
Evans, C., Palmer, C., Sleevi, R.: Public Key Pinning Extension for HTTP. RFC 7469 (Proposed Standard), April 2015
Hallam-Baker, P., Stradling, R.: DNS Certification Authority Authorization (CAA) Resource Record. RFC 6844 (Proposed Standard), January 2013
Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security (HSTS). RFC 6797 (Proposed Standard), November 2012
Hoffman, P., Schlyter, J.: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698 (Proposed Standard), August 2012. Updated by RFCs 7218, 7671
Housley, R., Polk, W., Ford, W., Solo, D.: Internet x. 509 public key infrastructure certificate and certificate revocation list (crl) profile. Technical report (2002)
Kitterman, S.: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. RFC 7208 (Proposed Standard), April 2014. Updated by RFC 7372
Kommareddi, A.: Modify Headers for Google Chrome (2017). https://chrome.google.com/webstore/detail/modify-headers-for-google/innpjfdalfhpcoinfnehdnbkglpmogdi
Kranch, M., Bonneau, J.: Upgrading https in mid-air: an empirical study of strict transport security and key pinning. In: NDSS (2015)
Kucherawy, M., Zwicky, E.: Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489 (Informational), March 2015
Larson, M., Massey, D., Rose, S., Arends, R., Austein, R.: Dns security introduction and requirements (2005)
Mockapetris, P.V.: Domain names: Implementation specification (1983)
Pokeinthe.io. Analysis of the Alexa Top 1M sites, June 2017 (2017). https://pokeinthe.io/2017/06/13/state-of-security-alexa-top-one-million-2017-06/
Security Sauce. tls-scan (2017). https://github.com/prbinu/tls-scan
Szalachowski, P., Matsumoto, S., Perrig, A.: Policert: secure and flexible TLS certificate management. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 406–417, November 2014
Szalachowski, P., Perrig, A.: Short paper: on deployment of DNS-based security enhancements. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 424–433. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_24
US-CERT. SSL 3.0 Protocol Vulnerability and POODLE Attack (2014). https://www.us-cert.gov/ncas/alerts/TA14-290A
Acknowledgment
We thank the anonymous reviewers whose feedback helped to improve the paper. This work is supported by SUTD SRG ISTD 2017 128 grant.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Varshney, G., Szalachowski, P. (2018). A Metapolicy Framework for Enhancing Domain Expressiveness on the Internet. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 255. Springer, Cham. https://doi.org/10.1007/978-3-030-01704-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-01704-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01703-3
Online ISBN: 978-3-030-01704-0
eBook Packages: Computer ScienceComputer Science (R0)