On 15/12/17 00:18, Matthew Hardeman via dev-security-policy wrote:
On Thursday, December 14, 2017 at 5:50:40 PM UTC-6, Matthew Hardeman wrote:
Route hijacking your way to what would appear as a proper domain validation is
practical for even a modestly resourceful adversary. I suspect that the only
reason more spectacular demonstration of certs issuing pursuant to such hijacks
haven't arisen owes to ethical considerations, poor overlap of those with the
network interconnection experience and the CA DV practices knowledge, and that
doing it effectively means doing it in a well documented way -- ringing a bell
you can not unring.
So when I wrote the above, I had not yet seen this (just published):
https://twitter.com/matthew_d_green/status/941460537724080128
FWIW, this is the cert for clientportal.fox-it.com that was used in this
attack:
https://crt.sh/?id=278968925
We issued this cert in accordance with the BRs, the Mozilla Root Store
Policy, our CPS, etc. Domain control was validated via an email
challenge with [email protected]. We revoked this certificate as
soon as we were informed that the DNS records had been compromised.
I have lots of ideas on how to help make DV more resilient against this, though
they have various costs of complexity, infrastructure, and time.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
