News & Comment: How to nab a HTTPS cert for a stranger’s website: Step one, shatter those DNS queries…
How to nab a HTTPS cert for a stranger’s website: Step one, shatter those DNS queries…
NEWS: Domain validation systems fooled by boffins
As reported by The Register, researchers based in Germany have discovered how to spoof certificates they don’t own – even if the certs are protected by the PKI-based domain validation. Though the group withheld the names of certificate authorities whose certs could be spoofed, Dr Haya Shulman, of the Fraunhofer Institute for Secure Information Technology, told The Register a “weak off-path attacker” can – using nothing more than a laptop – steal credentials, eavesdrop, or distribute malware using the method.
Full article: https://www.theregister.co.uk/2018/09/06/boffins_break_cas_domain_validation/
COMMENT:
According to Justin Hansen, security architect at Venafi:
“While this attack is relatively complex to pull off, it demonstrates a fundamental problem with Domain Validated (DV) certificates. DV issued certificates offer the lowest level of identity validation, sacrificing solid identity proof in exchange for speed and automation.
The impact of this attack can be quite serious because if an attacker can successfully poison DNS for any domains owned by a targeted organization, they will be able to get a certificate for that organization, and everyone on the internet will trust it. The attacker can then do a whole range of malicious things with that domain.
Because of this compromise, organizations should seriously consider the implications of DV validated certificate use. In many cases, it may make sense to explore higher assurance certificates like Organization Validation (OV) and Extended Validation (EV) certificates.”
Hugh Taylor
Hugh Taylor is a Certified Information Security Manager (CISM). In addition to editing Journal of Cyber Policy, he writes about cybersecurity, compliance and enterprise technology for such clients as Microsoft, IBM, SAP, HPE, Oracle, Google and Advanced Micro Devices. Prior to launching his freelance writing career, he served in executive roles at Microsoft, IBM and several venture-backed technology startups.