For another angle on the risks of browser prefetching, read this paper by Srinivas Krishnan and Fabian Monrose.  The authors describe algorithms that allow a hacker with access to a shared name server's cache to determine--with remarkable accuracy--what terms users with prefetching browsers are searching for.

Read more...

Wired's Webmonkey column today features a short article on some new behavior in the latest Google Chrome beta:  prefetching and prerendering web content.  Basically, if Chrome autcompletes the URL you're typing, it'll start loading web content for that URL, even though you may end up typing something unexpected and different.

In the best case, of course, this could save you a little time - especially if you type as slowly as I do - because some portion of the web page will already have loaded by the time you finish typing.  In the worst case, the URL you type isn't what Chrome anticipated so it simply discards the prefetched content.  No harm done, right?

Except that the web content had to be served by a web server somewhere on the Internet and transmitted across said Internet to your web browser.

Read more...

Apparently there's a "massive" attack against DNS infrastructure underway in Brazil.  Much of the initial reporting refers to the attack as cache poisoning, though Rod Rasmussen correctly points out that it's not "classic cache poisoning":  the culprits allegedly worked at a Brazilian ISP and used default passwords to change the DNS settings on customer premises equipment, and modified the configurations of the ISP's recursive name servers to direct customers to bogus sites.  ("Classic" cache poisoning attacks, of course, require no such special access to resolver or name server configuration to carry out.)

Besides raising the upsetting specter of collusion by the employees of ISPs, this threat brings us back to DNSSEC's "last mile" problem.  While this would seem like a textbook example of the kind of threat DNSSEC should protect against, in fact DNSSEC wouldn't have been much help to most of the ISP's subscribers.  Without a secure channel between a stub resolver, like the one on the laptop I'm typing on, and the local recursive name server, there's no foolproof way of determining that your name server has been replaced.

Read more...

Boy, in just the last week, I've seen a number of notable developments in the world of DNS.  You'd think that, after 25+ years, activity would die down a little!

First, OpenDNS and Google Public DNS announced that they're going to start trials of the extension described in draft-vandergaast-edns-client-subnet-00.  Basically, that Internet Draft proposes a new EDNS0 option that would allow a recursive name server to include the IP address of the original stub resolver in the queries it sends to authoritative name servers.  While at first blush that may not make sense - why would an authoritative name server care what the original querier's IP address was - recall that "authoritative name servers" are in many cases fancy global server load balancers run by content delivery networks, and that they want to decide where to direct you based on whereabouts on the Internet you live.  Until now, if you used big recursive name servers in the sky such as OpenDNS's or Google Public DNS, you'd always look to a CDN like you were coming from whichever anycast instance you'd happened to be directed to.  Now you can actually get a response that's meant for you.

Read more...

I found out a few weeks ago how general managers are made.

When I worked for HP, from the summer after my sophomore year in college to 1997, general managers were a big deal.  They ran HP's business units.  Lew Platt was a GM (and later CEO of HP), and now part of highway 87 is named for him.  In fact, the closest I ever got to an HP GM was flipping burgers next to Lew at one of HP's legendary beer busts.

Well, my boss and the CEO got together a few weeks ago and decided that Infoblox should have an IPv6 Center of Excellence, and they made me its GM.  I expect this went down something like the old Life cereal commercial:  "Let's give it to Cricket--he'll do anything!"  But I'm actually very pleased, for a number of reasons (besides getting a snazzy new title).

Infoblox has recognized that IPv6 is key to its success.  We are, after all, an IP address management vendor, and what could represent a bigger change in the world of IP address management than the transition to a new version of IP?  For that matter, what could be a bigger opportunity?

Read more...