So far so good! Major overhaul of the keys that keep the internet secure completed as firm behind it slams claims it could have caused a 48 hour global shutdown
- ICANN switched out crypto keys that make sure users aren’t sent to spam sites
- Ahead of the change, some warned of a ’48 hour global internet shutdown’
- ICANN called those claims ‘clickbait,’ saying there’s yet to be any major outages
A major overhaul of a crucial component of the internet’s domain name system, or DNS, has gone off without a hitch, contradicting earlier claims that it would have caused a ‘global internet shutdown.’
The Internet Corporation for Assigned Names and Numbers (ICANN) on Thursday kicked off its first-ever change of the cryptographic key pairs that assure web users aren’t sent to spam sites.
Ahead of the switchover, which began at 4:00pm UTC yesterday, there were widespread warnings that it would disrupt internet connectivity for many web users.
However, that hasn’t happened yet and ICANN is calling claims that it will temporarily create system-wide outages ‘clickbait.’
ICANN, which is a US-based non-profit organization that oversees internet infrastructure tasks, was likely referring to headlines such as one that said ‘Global internet could crash in next 48 hours,’ published Thursday by Russia Today.
‘Unfortunately, that story carries a headline that is a click bait,’ an ICANN spokesperson told NDTV.
‘There will be minimal impact to users. Note that data analysis suggests that more than 99 percent of users whose resolvers are validating will be unaffected.’
It is possible that some users could still experience minor outages in the next 24 hours or so.
Some users reported having issues accessing webpages or making transactions within the first few hours of the switchover, but many were ‘fixed quickly,’ according to ICANN, which has continued to post updates on the rollover.
‘The root KSK rollover has occurred: the new root zone signed by new KSK (known as KSK-2017) has been published to the root servers,’ ICANN explained.
‘The root KSK rollover occurred at 1600 UTC [noon EST] today, 11 October, with the publication of the root zone with serial number 2018101100. Please see the main rollover page for further information on the rollover.’
It added: ‘In the first six hours after the rollover, there were a few reports of problems that were mostly fixed quickly.’
The overhaul centered around switching the DNS’ Root Zone Signing Key, which is a pair of crucial cryptographic keys that ensure users are visiting the correct website – not a spoof one run by hackers.
ICANN generated a new cryptographic public and private key pair and sent it to users who operate validating resolvers.
These validating resolvers run software that converts typical domain names, like Google.com, into their numerical IP addresses so that computers can visit them.
The internet has rapidly evolved, but DNS security measures haven’t necessarily kept up.
Many websites use DNS Security Extensions (DNSSEC) that use cryptographic keys to make sure DNS data is coming from the correct address, as a means to prevent ‘DNS spoofing,’ which inserts an incorrect IP addresses, thereby directing users to potentially malicious sites.
This week’s rollover involved changing the primary key pair in DNSSEC’s cryptographic key chain, called the Root Zone Signing Key.
So far, there is no reason to believe the keys have been compromised, but ICANN is performing the switch as a means of maintaining ‘good cryptographic hygiene,’ Motherboard noted.
‘We want to do this process when things are normal; when there’s not any kind of emergency,’ ICANN’s vice president of research, Matt Larson, told Motherboard.
‘This way, if an actor does manage to get the key somehow later, at least ICANN will have a better idea of how the process works.’
The root KSK rollover was supposed to happen in 2017, but was later postponed to this year, after concerns were raised that it would result in a major internet disruption for many users.