On Tuesday, April 24, 2018 at 5:29:05 PM UTC+2, Matthew Hardeman wrote: > This story is still breaking, but early indications are that: > > 1. An attacker at AS10297 (or a customer thereof) announced several more > specific subsets of some Amazon DNS infrastructure prefixes: > > 205.251.192-.195.0/24 205.251.197.0/24 205.251.199.0/24 > > 2. It appears that AS10297 via peering arrangement with Google got > Google's infrastructure to buy (accept) the hijacked advertisements. > > 3. It has been suggested that at least one of the any cast 8.8.8.8 > resolvers performed resolutions of some zones via the hijacked targets. > > It seems prudent for CAs to look into this deeper and scrutinize any domain > validations reliant in DNS from any of those ranges this morning.
This is an example of why ALL CA's should either already be doing multi-perspective domain control validation or be working towards that in the very near future. These types of attacks are far from new, we had discussions about them back in the early 2000s while at Microsoft and I know we were not the only ones. One of the earlier papers I recall discussing this topic was from the late 08 timeframe from CMU - https://www.cs.cmu.edu/~dga/papers/perspectives-usenix2008/ The most recent work on this I am aware of is the Princeton paper from last year: http://www.cs.princeton.edu/~jrex/papers/bamboozle18.pdf As the approved validation mechanisms are cleaned up and hopefully reduced to a limited few with known security properties the natural next step is to require those that utilize these methods to also use multiple perspective validations to mitigate this class of risk. Ryan Hurst (personal) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
