Several ICANN staff members attended the Black Hat and Defcon conferences last week to launch DNSSEC to the global Internet security community.
Black Hat is one of the world’s premier security conferences; it attracts about 5,000 onsite participants and many more online. Defcon is a hacker event, also attended by government and security types, and nearly 10,000 people registered for this year’s conference. These are important communities for ICANN.
Black Hat Chair Jeff Moss addressed thousands of participants at the opening session and asked a challenging question. Security has been discussed and debated throughout Black Hat’s 13-year history, yet what progress have we made? What real successes can we celebrate? The growth in malicious traffic on the web is higher than the growth in legitimate traffic. The Internet security community, he said, has had no solid accomplishment to show for our efforts – until today. Today DNSSEC is being launched, and just days ago the root of the Internet was cryptographically signed. This is the first major Internet security enhancement since the beginning of Black Hat, and we thank ICANN for this accomplishment.
This set the tone for other successes, including:
Whit Diffie’s Keynote at Black Hat Executive Session
Eighty top leaders from governments and corporations participated in an exclusive one-day program the day before Black Hat officially began. Whit Diffie, ICANN’s new Vice President for Information Security and Cryptography, was the keynote luncheon speaker and greatly impressed the audience, many of whom knew of his global reputation as a groundbreaking cryptographer.
Black Hat DNS Vulnerability Panel
The event was well attended and focused entirely on how to deploy DNSSEC successfully at all levels. The lively discussion included Whit Diffie; Sandy Wilbourn, CTO of Nominum; Ken Silva, CTO of VeriSign; Mark Weatherford, former Chief Information Security Officer of the State of California, which implemented DNSSEC; Dan Kaminsky, Chief Scientist at Recursion Ventures and a DNS activist; and me.
Press conference launching DNSSEC, with a live hook-up to the IETF meeting in Maastricht
The press conference was well attended by the world’s media, both technical and mainstream. Russ Housely, Chair of the Internet Engineering Task Force, joined by video link along with Mark McLaughlin, CEO of VeriSign, and Dan Kaminsky. Russ provided excellent detailed explanations to numerous questions, and the press conference was greatly enhanced by his participation. Dozens of articles on DNSSEC have appeared, including an Agence France Presse article that has been picked up by media outlets around the world and stories in the National Journal, MSNBC, CBS News and ABC News. To get a sense of the coverage, please see:
Black Hat Kaminsky session on how to implement DNSSEC for browsing, email and websites
Over 1,000 people packed in to hear Dan present a set of tools that can rapidly and easily cryptographically sign any website. Though initially a skeptic about DNSSEC, Dan stated that he had been wrong and is now a huge believer. He urged everyone in the industry to implement this important technology. He showed a private version of the Google Chrome browser that is fully DNSSEC-enabled, as well as tools he has created to add DNSSEC to Internet Explorer and Mozilla Firefox browsers. He capped it off by demonstrating DNSSEC-enabled email and announced he will be posting code so that DNSSEC-protected email can be sent and received though Microsoft Outlook. The crowd was wowed.
Defcon DNS Vulnerability Panel
This panel included ICANN’s Rick Lamb and Mehmet Akcin, Nominum’s Sandy Wilbourn, VeriSign’s Ken Silva and Dan Kaminsky, and was attended by about 800 people. Mehmet reports that it was an interactive and constructive session with considerable input from the audience.
Successes and lessons learned
Participants’ high level of engagement on DNSSEC and interest in ICANN demonstrate that these two events have helped to kickstart the long-term push for universal adoption of DNSSEC.
The panels and presentations had a significant impact in promoting DNSSEC. The most important lesson of ICANN’s experience at Black Hat and Defcon remains one of our defining philosophies: collaboration works. We made clear that everyone has a role in enhancing the security of the global Internet and we invited everyone to be a part of the solution. Many participants said they would push their ccTLDS, their own companies and software companies to enhance their product offerings to leverage DNSSEC. Participants clearly understood that this first true centralized trust anchor is a foundation for further global security enhancements.
ICANN’s first formal participation at Black Hat and Defcon, with many senior officials from the national security communities of the United States and other governments attending, also helped position ICANN as an important player in global Internet security. I believe our greatest achievement was the goodwill we created with the global security community and the governments they work with.
And special thanks again to all in the Internet Engineering Task Force for championing DNSSEC from the early days. It wouldn’t have happened without their unwavering commitment.