SSL/TLS certifications can be crafted for any sites by using any of the 400+ Public Certificate Authorities and thousands upon thousands private CAs.
Not all CA are trusted by a browser btw which is another topic in a centralize authority schema which is a good and bad thing that need a separate thread to understand "truststore".
Since a domain and site could be deployed anywhere, any time, and by anyone, the chance of a successful hijack could take place if one could steer or hijack a dnsserver or redir a client DNS response by the modification of the DNS payload.
Take this approach,
1> a blackhat hijacker crafts a site name "www.ebay.com" and installs a frontend server(s) for collecting accounts and logins, or just to distribute malware.
2> He uses a valid CA and has a valid certificate signed.
3> He inject a response to a client browser for a DNS query that says "go to my fake www.ebay.com address"
Now at this point, the browser see the certificate as valid, and the user now is at the mercy of the fake www.ebay.com and whatever the hijackers are trying todo ( delivery of a malware/trojans, account /password spear fish, or other targeted theft of information ,etc....)
I call this the same thing as bait and switch with a decoy while hunting doves or turkey. If it looks real, it would draw in the prey with no scrutiny ;)"
So what keeps someone from registering a SSL certificate against your domainnames? This type of hijack has been feasible & can not be 100% controlled, but we can do some things along with DNSSEC to reduce this risk.
Read one of my previous post about DNSSEC http://socpuppet.blogspot.com/2013/12/dnssec-godaddy-style.html
The DNS RR type CAA ( type257 ) does mitigate some of this threat , but it's not 100% Guaranteed.
How this ResourceRecord works, is that you will craft a DNS CAA record type listing your preferred CA(s) that your domain trusts & uses for issuance of certificates. This record is used by some CAs for pre-validation of a preferred CA(s) for domainname b4 creating a certificate for that domain.
e.g
letsencrypt does this for any certificate that it creates
https://letsencrypt.org/
Tip: To query for a type257 ( CAA dns record type ) you can use dig or host
e.g
So goog has set specific instructions for other CAs for the "domain google.com".
How much protection you gain from a CAA is hit/miss since it's used only from a CA function & standpoint. Very few organizations ( CA) uses or check for CAA records types. If more domains would deploy CAA RRs & more CA conduct lookups, it would be helpful in ensuring a rogue or hijacked site is not being deployed.
Each CA has it's own strategy on CAA validations. You can see Google stance by reading their pki policy page
https://static.googleusercontent.com/media/pki.google.com/en//GIAG2-CPS-1.2.pdf
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
I've been using AVG anti-virus for a couple of years now, I'd recommend this product to you all.
ReplyDelete