On Wednesday, April 25, 2018 at 1:57:28 AM UTC-7, Ryan Hurst wrote: > On Tuesday, April 24, 2018 at 5:29:05 PM UTC+2, Matthew Hardeman wrote: > > This story is still breaking, but early indications are that: > > > > 1. An attacker at AS10297 (or a customer thereof) announced several more > > specific subsets of some Amazon DNS infrastructure prefixes: > > > > 205.251.192-.195.0/24 205.251.197.0/24 205.251.199.0/24 > > > > 2. It appears that AS10297 via peering arrangement with Google got > > Google's infrastructure to buy (accept) the hijacked advertisements. > > > > 3. It has been suggested that at least one of the any cast 8.8.8.8 > > resolvers performed resolutions of some zones via the hijacked targets. > > > > It seems prudent for CAs to look into this deeper and scrutinize any domain > > validations reliant in DNS from any of those ranges this morning. > > This is an example of why ALL CA's should either already be doing > multi-perspective domain control validation or be working towards that in the > very near future. > > These types of attacks are far from new, we had discussions about them back > in the early 2000s while at Microsoft and I know we were not the only ones. > One of the earlier papers I recall discussing this topic was from the late 08 > timeframe from CMU - > https://www.cs.cmu.edu/~dga/papers/perspectives-usenix2008/ > > The most recent work on this I am aware of is the Princeton paper from last > year: http://www.cs.princeton.edu/~jrex/papers/bamboozle18.pdf > > As the approved validation mechanisms are cleaned up and hopefully reduced to > a limited few with known security properties the natural next step is to > require those that utilize these methods to also use multiple perspective > validations to mitigate this class of risk. > > Ryan Hurst (personal)
What is interesting to me is the DV certificate that Amazon had issued for myetherwallet.com (https://crt.sh/?id=108721338) and this certificate expired on Apr 23rd 2018. Could it be that the attackers were using this cert all along in place of a EV cert? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
