Updated Researchers in Germany have discovered how to obtain HTTPS security certificates for web domains they don't own – even if the certs are protected by PKI-based domain validation.
Essentially, some certificate authorities can be tricked into incorrectly issuing the cryptographic certs, meaning a miscreant can get a SSL/TLS certificate for someone else's domain and use it to create a malicious copy of that website. People fooled into connecting to the faked site will be told by their browsers that the connection is secure, when really they're visiting a spoofed version.
Dr Haya Shulman of the Fraunhofer Institute for Secure Information Technology (SIT), and one of the boffins behind told The Register a "weak off-path attacker" can – using nothing more than a laptop – effectively steal credentials, eavesdrop, or distribute malware using the method. The group at this stage withheld the names of the certificate authorities (CAs) that can be tricked into incorrectly issuing cryptographic certs.
In a paper seen by The Register, to be presented at the ACM's Conference on Computer and Communications Security conference in Toronto, Canada, in October, Dr Shulman's team wrote:
The attack exploits DNS cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker's public key to a victim domain.
The group has asked The Register not to republish the paper because it names affected certificate authorities. We have, however, seen a demo of a live attack by Fraunhofer SIT's team. The technique ensures the DNS domain validation checks run by the CA are performed, in part, using the attacker's DNS server rather than a server belonging to the domain's owner. This can be leveraged by the hacker to therefore obtain a cert for that domain.
"The attack is initiated with a DNS request," the paper explained. "To succeed in the attack, the attacker has to craft a correct DNS response before the authentic response from the real nameserver arrives."
The attack depends on getting said DNS responses broken into fragments, and then injecting malicious fragments to fool the CA into handing over the cert to the attacker. The first fragments of the response contain valid DNS challenge-response fields. The inserted fragments can be whatever the miscreant needs to complete the transaction so that he or she gets the cert.
Network admins will have worked out by now that the attacker needs to do some offline research to get this to work – they have to examine responses from the victim's nameserver to calculate "the offset where the fragmentation should occur."
The research team proposed a domain validation protocol they dubbed "DV++" to block the attack. In summary, DV++ uses a distributed model which sends requests to multiple certification agents.
"To pass a DV++ validation, domain owners must prove their ownership to a majority of the agents in a fully automated manner by responding to queries sent by the agents for the resource records in the domain."
Dr Shulman's collaborators in the project are Markus Brandt, Tianxiang Dai, Amit Klein and Michael Waidner. ®
Editor's note: This article was revised after publication to clarify that it is the websites being spoofed, not the certificates. The certs are handed over to the wrong person, in effect, and used to spoof legit sites.