Thanks Matthew, I appreciate you bringing this to everyone's attention. Unless I'm misunderstanding the scope of the attack, it would have been trivial for them to get a trusted cert from most any CA. However, according to the following article, "Victims had to click through a HTTPS error message, as the fake MyEtherWallet.com was using an untrusted TLS/SSL certificate.", yet the attackers still managed to steal millions of dollars in alt-coins.
https://www.theregister.co.uk/2018/04/24/myetherwallet_dns_hijack/ On Tue, Apr 24, 2018 at 8:28 AM, Matthew Hardeman via dev-security-policy < [email protected]> wrote: > This story is still breaking, but early indications are that: > > 1. An attacker at AS10297 (or a customer thereof) announced several more > specific subsets of some Amazon DNS infrastructure prefixes: > > 205.251.192-.195.0/24 205.251.197.0/24 205.251.199.0/24 > > 2. It appears that AS10297 via peering arrangement with Google got > Google's infrastructure to buy (accept) the hijacked advertisements. > > 3. It has been suggested that at least one of the any cast 8.8.8.8 > resolvers performed resolutions of some zones via the hijacked targets. > > It seems prudent for CAs to look into this deeper and scrutinize any domain > validations reliant in DNS from any of those ranges this morning. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
