CIRA Canadian Shield – Free malware and phishing protection for households

Malware and phishing are two scourges that prey on human error and impact families. To help CIRA, the .CA domain name registry, has just launched a free cybersecurity service. This service is unique in the world because it is designed and deployed specifically for Canadians.

First a backgrounder

Hackers get in and people get scammed by malware and phishing scams that exploit email and websites that can often appear legitimate. These scams persist despite the use of existing antivirus and firewall software. Let’s be clear, we are not recommending you stop using those critical, useful and effective layers. What we are saying is that is that no solution is perfect – least of all the humans in our homes that accidentally click on malicious links.

Cybersecurity professionals know this and that is why enterprises protect their data with multiple security layers, from multiple vendors, and with multiple different sources of cyberthreat data. It is a strategy called, “defence-in-depth” that is based off concepts learned in World War One trench warfare. It traditionally comes with cost and complexity that is not practical or affordable for you, your children, or your grandma. This is a problem that CIRA Canadian Shield addresses.

The other question you may have is, why would CIRA do something for free? CIRA is a non-for-profit organization governed by an elected board of directors and part of our mandate is to help build a more trusted internet in Canada. This includes a granting program, support for Canadian Internet Exchange Points, measurement and analysis of the internet, and cybersecurity.

CIRA Canadian Shield works using the original cloud - The Domain Name System or DNS

We all know about the concept of cloud software. It is software that runs somewhere else and that we access by paying a (typically) monthly fee. You can think of the DNS the original cloud service. It is the Internet’s phone book that connects domain names with the IP address of the server where the webpage or web application exists. It is the first step in using the internet and it is a great place to block threats because it can refuse the connection to malicious content.

Cyberthreat intelligence that is uniquely effective

One of the best analogies that I heard about DNS-based threat filtering is that the internet is kind of like water in that it is a Canadian right. And since you wouldn’t drink untreated water why would you surf untreated Internet? Moreover, if you do clean up the problems, you need to do it in a way that doesn’t introduce anything negative into the system.

One of the partners that CIRA works for our threat feed is Akamai. Akamai has nodes located in ISPs around the world that are continually monitoring new DNS queries, quarantining them, inspecting them and adding malicious ones to the threat list. The time from detection to addition to the list is under 14 minutes. We also include multiple threat feeds from both open and commercial sources. Uniquely, CIRA Canadian Shield includes the threat feed from the Canadian Center for Cybersecurity (CCCS) and the child exploitation feed from cybertips.ca. Two uniquely Canadian, and high quality organizations that help to keep Canadians safe online.

In total, these add over 100,000 net new malicious domains to our threat list every month with almost no false positives and no censorship.

A note about privacy

When you are talking about your DNS traffic, you are talking about a record of almost everything you do online. While there are several options for choosing a DNS provider (including sticking with the one your ISP gives you by default) we believe that CIRA is a trustworthy option. As a not-for-profit we have no interest in your personal data and will never share or monetize it. You do not have to register and we only store the IP address for less than one day – a time period that we need to mitigate attacks on the service (i.e. we can cut off IP addresses that are attacking it).

In addition to being a trusted provider, our service nodes are only located in Canada to reduce the likelihood that your data will pass through foreign jurisdictions while in transit.

And finally, for serious privacy aficionados, we also support the latest DNS over HTTPS (DoH) and DNS over TLS (DoT) encryption standards. This is a more advanced topic, but for those interested, the set-up instructions are on CIRA’s website.

The service is delivered with three options for Canadians

Private – Provides basic DNS resolution
Protected – Blocks malware and phishing domains
Family – Protected plus blocking of pornographic content

How do I get going?

The recommended set-up is to change settings on your home gateway/router because once do the entire home is protected. However, you can also change the settings on individual computer operating systems.

There are pros and cons to using the DNS layer. One pro is that it is unobtrusive and has no annoying popups. The con is that we know that some people can be confused by this – but rest assured, it is only a few clicks of basic configuration to get going. Moreover, once set, it is difficult for a family member to accidentally turn it off.

1. Log into your router (you may need to consult your documentation or ISP support page)
2. Click on DNS settings
3. Change the settings to point to CIRA Canadian Shield addresses for the service level you want to use: Private, Protected, Family

Full step-by-step instructions with images and the DNS addresses are available on CIRA’s website.

And finally, for mobile devices, it is even easier because there are free downloads in both the Apple app store and the Google play store.

CIRA Canadian Shield is a uniquely Canadian layer of cybersecurity that can help protect individuals and families online while also adding some additional privacy. Just a few days after launch we had already added tens of thousands of users and we hope to help as many people as possible.