Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

On 18/12/2018 16:41, Ryan Sleevi wrote: > On Tue, Dec 18, 2018 at 7:41 AM Rob Stradling wrote: > On 14/12/2018 21:06, Wayne Thayer via dev-security-policy wrote: > > > I think it;s worth calling out that Let's Encrypt has implemented > what > > appears to be a relatively simp

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

On Tue, Dec 18, 2018 at 1:53 PM Tim Hollebeek wrote: > The problem is that the attackers get to choose the CA they use, so > multi-perspective validation doesn't provide any benefits unless everyone > has to do it. > > I brought it up several times at the validation working group and as a > discu

RE: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

can.st; mozilla-dev-security- > policy > Subject: Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable > > On 14/12/2018 21:06, Wayne Thayer via dev-security-policy wrote: > > > I think it;s worth calling out that Let's Encrypt has implemented what >

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

On Tue, Dec 18, 2018 at 7:41 AM Rob Stradling wrote: > On 14/12/2018 21:06, Wayne Thayer via dev-security-policy wrote: > > > I think it;s worth calling out that Let's Encrypt has implemented what > > appears to be a relatively simple mitigation: > > > https://community.letsencrypt.org/t/edns-bu

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

On 14/12/2018 21:06, Wayne Thayer via dev-security-policy wrote: > I think it;s worth calling out that Let's Encrypt has implemented what > appears to be a relatively simple mitigation: > https://community.letsencrypt.org/t/edns-buffer-size-changing-to-512-bytes/77945 Sectigo implemented this sam

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

On Tue, Dec 11, 2018 at 10:27 AM Hector Martin 'marcan' via dev-security-policy wrote: > On 12/12/2018 01.47, Ryan Sleevi via dev-security-policy wrote: > > Is this new from the past discussion? > > I think what's new is someone actually tried this, and found 5 CAs that > are vulnerable and for w

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

On Tuesday, December 11, 2018 at 11:27:52 AM UTC-6, Hector Martin 'marcan' wrote: > On 12/12/2018 01.47, Ryan Sleevi via dev-security-policy wrote: > > Is this new from the past discussion? > > I think what's new is someone actually tried this, and found 5 CAs that > are vulnerable and for which

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

On 12/12/2018 01.47, Ryan Sleevi via dev-security-policy wrote: > Is this new from the past discussion? I think what's new is someone actually tried this, and found 5 CAs that are vulnerable and for which this attack works in practice. > https://groups.google.com/d/msg/mozilla.dev.security.policy

Re: DNS fragmentation attack subverts DV, 5 public CAs vulnerable

On Tue, Dec 11, 2018 at 11:34 AM Hector Martin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I figured this presentation might be of interest to this list: > > > https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf > > It seems they foun

DNS fragmentation attack subverts DV, 5 public CAs vulnerable

I figured this presentation might be of interest to this list: https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf It seems they found 5 (unspecified) public CAs out of 17 tested were vulnerable to this attack, which can be performed by an off-path attacker. The