A Metapolicy Framework for Enhancing Domain Expressiveness on the Internet
Domain Name System (DNS) domains became Internet-level identifiers for entities (like companies, organizations, or individuals) hosting services and sharing resources over the Internet. Domains can specify a set of security policies (such as, email and trust security policies) that should be followed by clients while accessing the resources or services represented by them. Unfortunately, in the current Internet, the policy specification and enforcement are dispersed, non-comprehensive, insecure, and difficult to manage.
In this paper, we present a comprehensive and secure metapolicy framework for enhancing the domain expressiveness on the Internet. The proposed framework allows the domain owners to specify, manage, and publish their domain-level security policies over the existing DNS infrastructure. The framework also utilizes the existing trust infrastructures (i.e., TLS and DNSSEC) for providing security. By reusing the existing infrastructures, our framework requires minimal changes and requirements for adoption. We also discuss the initial results of the measurements performed to evaluate what fraction of the current Internet can get benefits from deploying our framework. Moreover, overheads of deploying the proposed framework have been quantified and discussed.
KeywordsDomain DNS TLS Security policies Certificates
We thank the anonymous reviewers whose feedback helped to improve the paper. This work is supported by SUTD SRG ISTD 2017 128 grant.
- 1.Alexa. Alexa Top 1 Million Websites (2017). http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
- 2.Amann, J., Gasser, O., Scheitle, Q., Brent, L., Carle, G., Holz, R.: Mission accomplished?: Https security after diginotar. In: Proceedings of the 2017 Internet Measurement Conference, pp. 325–340. ACM (2017)Google Scholar
- 3.Crocker, D., Hansen, T., Kucherawy, M.: DomainKeys Identified Mail (DKIM) Signatures. RFC 6376 (Internet Standard), September 2011Google Scholar
- 4.Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM (2008)Google Scholar
- 5.Evans, C., Palmer, C., Sleevi, R.: Public Key Pinning Extension for HTTP. RFC 7469 (Proposed Standard), April 2015Google Scholar
- 6.Hallam-Baker, P., Stradling, R.: DNS Certification Authority Authorization (CAA) Resource Record. RFC 6844 (Proposed Standard), January 2013Google Scholar
- 7.Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security (HSTS). RFC 6797 (Proposed Standard), November 2012Google Scholar
- 8.Hoffman, P., Schlyter, J.: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698 (Proposed Standard), August 2012. Updated by RFCs 7218, 7671Google Scholar
- 9.Housley, R., Polk, W., Ford, W., Solo, D.: Internet x. 509 public key infrastructure certificate and certificate revocation list (crl) profile. Technical report (2002)Google Scholar
- 10.Kitterman, S.: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. RFC 7208 (Proposed Standard), April 2014. Updated by RFC 7372Google Scholar
- 11.Kommareddi, A.: Modify Headers for Google Chrome (2017). https://chrome.google.com/webstore/detail/modify-headers-for-google/innpjfdalfhpcoinfnehdnbkglpmogdi
- 12.Kranch, M., Bonneau, J.: Upgrading https in mid-air: an empirical study of strict transport security and key pinning. In: NDSS (2015)Google Scholar
- 13.Kucherawy, M., Zwicky, E.: Domain-based Message Authentication, Reporting, and Conformance (DMARC). RFC 7489 (Informational), March 2015Google Scholar
- 14.Larson, M., Massey, D., Rose, S., Arends, R., Austein, R.: Dns security introduction and requirements (2005)Google Scholar
- 15.Mockapetris, P.V.: Domain names: Implementation specification (1983)Google Scholar
- 16.Pokeinthe.io. Analysis of the Alexa Top 1M sites, June 2017 (2017). https://pokeinthe.io/2017/06/13/state-of-security-alexa-top-one-million-2017-06/
- 17.Security Sauce. tls-scan (2017). https://github.com/prbinu/tls-scan
- 18.Szalachowski, P., Matsumoto, S., Perrig, A.: Policert: secure and flexible TLS certificate management. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 406–417, November 2014Google Scholar
- 20.US-CERT. SSL 3.0 Protocol Vulnerability and POODLE Attack (2014). https://www.us-cert.gov/ncas/alerts/TA14-290A