I'm wading deep into unfamiliar water here, so take my assessment with a grain of salt because I'm not sure I'm describing it totally accurately. But this strikes me as a Big Deal that needs to be disseminated as far and wide as possible, and quickly.
This weekend a relatively recent DNS flaw finally crossed my radar. Knowledge of the problem has been public for a few weeks, but the threat escalated over the past few days as proof of concept exploits have started showing up and reports of actual attacks have filtered in. This a flaw in the Domain Name System, a fundamental piece of the internet's infrastructure, that allows an attacker to redirect your internet connection. It has been described one of the most significant internet security problems in the past decade.
For example, you might type
gmail.com into your browser's address bar, and instead of reaching Google's servers, the attacker would be able to serve whatever he or she wishes. They may give you a harmless spam site, but it would be just as easy for the attacker to clone GMail and make it look authentic. As soon as you attempt to log in, the attacker has your username and password, and your account is, as they say, pwned. (It occurs to me they may not be able to replicate the security certificate so there might be warning signs, but given that most people will assume they've correctly reached the legitimate GMail those will likely be overlooked.)
It could be GMail, it could be your bank, it could be every single web site you visit. With this flaw in an unpatched state, you essentially cannot trust domain names.
The good news is that vendors of server software have already (for the most part) released patches that fix this security hole. This is a problem that service providers should be addressing, not necessarily end users like you or me.
But the bad news is that your particular DNS server may or may not have applied the patch. Go to DoxPara Research and hit the "Check My DNS" button to see if your computer is vulnerable. Mine was.
In that case, what you can do to immediately protect yourself is stop using your service provider's DNS and switch over to OpenDNS, a free ad-run alternative that stays up to date with their patches. I've pointed my computers and my routers at the service, and aside from the peace of mind, I'm tempted to say DNS resolution feels a bit faster too. Your mileage may vary, as speed is very geography-specific and I happen to be near one of their datacenters.
But wait, there's more. Further bad news for anyone using Apple products: no patch exists yet, the theory being that the recent tumultuous iPhone 3G and MobileMe product launches have been too distracting. Whatever the reason, if you use Apple operating systems, even with OpenDNS you are still vulnerable until a patch is available. OS X Servers are more likely targets for potential attacks, but even desktop computers are not totally safe.
So, um, cross your fingers?
(If I've missed nuances about the situation or mischaracterized anything, please feel free to add additional information in the comments.)
I was about to Flickr this and leave it at that, but then I remembered oh yeah, I've got a web site.
This morning's mail brought me a renewal notice from my domain registrar. The currently-dormant personal nameplate domain I've been sitting on is coming up for renewal at the end of the year, so they're really staying on top of it by sending me the renewal notice during the summer.
Except, wait. Domain Registry of Canada? That doesn't seem right. This domain was registered with a US-based company. I don't have any business with Canadian registrars that I'm aware of.
I've been hearing about this tactic for years, and received one or two of these in the past, so it didn't take long to conclude that, yes, this is a scam. Even though the notice is deceptively formatted to look like an invoice, the wording tells me exactly what's going on (emphasis mine):
"When you switch today to the Domain Registry of Canada..."
"...and now is the time to transfer and renew your name..."
"Domain name holders are not obligated to renew their domain name with their current Registrar or with the Domain Registry of Canada. Review our prices and decide for yourself. You are under no obligation to pay the amounts stated below, unless you accept this offer."
They've obviously spent time honing their text so this practice may not run afoul of the relevant consumer protection laws. The company has been at it for years in other countries with multiple legal proceedings in the past, so they've had the time to get it right. It may be that the notice I received is technically legal.
But I still think they're scum, and this is a scam-like practice whether it's legal or not. They're obviously counting on people to focus on the invoice and ignore the text. (Web users skim, they don't read, right?) With an official-sounding name like "Domain Registry of Canada" it's easy to understand how their targets might not pause to consider that this company isn't in fact the one they originally registered with (do you actually consider your domain registrar more than once a year?). If someone web-savvy like myself has to seriously think about what's going on here, how many average small business owners or office administrators do they sucker annually?
There may be legal recourse here, but I'm willing to bet that if they're still doing it after all these years, they've managed to figure out how to avoid prosecution. So there's not much to be done aside from wasting 50 cents on a stamp for their return envelope to return them a personal F U. Ineffective and useless to be sure, but if I can kill at least a fraction of a second of their anticipation of taking in another sucker while they open the envelope, to me that's good enough.