Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites

Bad news first: the internet is broken for a while. The good news is that Cloudflare thinks it can make it slightly less broken.

With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point in adopting the web security standard, which many haven’t set up — either because it’s so complicated and arduous, or too expensive.

It’s part of a push by the San Francisco-based networking giant to try to make the pipes of the internet more secure — even from the things you can’t see.

For years, you could open up a website and take its instant availability for granted. DNS, which translates web addresses into computer-readable IP addresses, has been plagued with vulnerabilities, making it easy to hijack any step of the process to surreptitiously send users to fake or malicious sites.

Take two incidents in the past year — where traffic to and from Amazon and separately Google, Facebook, Apple, and Microsoft were hijacked and rerouted for between minutes and hours at a time. Terabytes of internet traffic were siphoned through Russia for reasons that are still unknown. Any non-encrypted traffic was readable, at least in theory, by the Russian government. Suspicious? It was.

That’s where a security-focused DNS evolution — DNSSEC — is meant to help. It’s like DNS, but it protects requests end-to-end, from computer or mobile device to the web server of the site you’re trying to visit, by cryptographically signing the data so that it’s far tougher — if not impossible — to spoof.

But DNSSEC adoption is woefully low. Just three percent of websites in the Fortune 1000 sign their primary domains, largely because the domain owners can’t be bothered, but also because their DNS operators either don’t support it or charge exorbitant rates for the privilege.

Cloudflare now wants to do the hard work in setting those crucial DS records, a necessary component in setting up DNSSEC, for customers on a supported registrar. Traditionally, setting a DS record has been notoriously difficult, often because the registrars themselves can be problematic.

As of launch, Gandi will be the first registrar to support one-click DNSSEC setup, with more expected to follow.

The more registrars that support the move, the fewer barriers to a safer internet, the company argues. Right now, the company says that services that users should consider switching from providers don’t support DNSSEC and “let them know that was the reason for the switch.”

Just like HTTPS was slow to adopt over the years — but finally took off in 2015 — there’s hope that DNSSEC can follow the same fate. The more companies that adoption the technology will help end users be less vulnerable to DNS attacks on the internet.

And besides the hackers, who doesn’t want that?