How to nab a HTTPS cert for a stranger’s website: Step one, shatter those DNS queries…
NEWS: Domain validation systems fooled by boffins
As reported by The Register, researchers based in Germany have discovered how to spoof certificates they don’t own – even if the certs are protected by the PKI-based domain validation. Though the group withheld the names of certificate authorities whose certs could be spoofed, Dr Haya Shulman, of the Fraunhofer Institute for Secure Information Technology, told The Register a “weak off-path attacker” can – using nothing more than a laptop – steal credentials, eavesdrop, or distribute malware using the method.
According to Justin Hansen, security architect at Venafi:
“While this attack is relatively complex to pull off, it demonstrates a fundamental problem with Domain Validated (DV) certificates. DV issued certificates offer the lowest level of identity validation, sacrificing solid identity proof in exchange for speed and automation.
The impact of this attack can be quite serious because if an attacker can successfully poison DNS for any domains owned by a targeted organization, they will be able to get a certificate for that organization, and everyone on the internet will trust it. The attacker can then do a whole range of malicious things with that domain.
Because of this compromise, organizations should seriously consider the implications of DV validated certificate use. In many cases, it may make sense to explore higher assurance certificates like Organization Validation (OV) and Extended Validation (EV) certificates.”