New standard to make online banking and shopping safer

DNSSEC will improve security around online transactions

Root server security upgrade to allow safer e-commerce

The internet's root servers have been made more secure as a result of the addition of domain name system security extensions (DNSSEC).

These extensions make it more likely that when a web page is returned to a user, the right web page is returned rather than one posing as the requested page. The aim is to protect organisations and consumers from imitation e-commerce sites or banking log-in pages. These are often used by hackers to harvest personal information or banking details.

DNSSEC works by adding further secure data to the domain name which means that the verification process is more likely to return matches that are identical to the original request - and that the match has not been tampered with while in transit.

Root servers are the core of the internet's global addressing system, they translate web addresses from text format (for example www.google.com) into Internet Protocol (IP) addresses, used to route network traffic to the correct website.

Internet technical community organisations and vendors have worked with the bodies responsible for the root server infrastructure, Internet Corporation for Assigned Names and Numbers (ICANN) and the US Department of Commerce.

VeriSign senior VP and CTO Ken Silva said that the collaborative, industry-wide effort to protect consumers and organisations from hackers who target DNS data, marked a decisive step forward.

"DNSSEC is designed to protect the DNS from 'man in the middle' and cache poisoning attacks, which can occur when hackers corrupt DNS data stored on recursive servers to redirect queries to malicious sites," said Silva.

"Poisoning a recursive server's cache is much more difficult with DNSSEC because DNS administrators sign their data [using keys]," added Silva.

A significant driver for this rollout was the disclosure of weaknesses in DNS by security researcher Dan Kaminsky two years ago.

To complement root servers being secured with DNSSEC, the large top-level domains (TLDs) will need DNSSEC applied to their infrastructure. The .org registry is currently the only one set up for DNSSEC.