How to nab a HTTPS cert for a stranger's website: Step one, shatter those DNS queries...

Domain validation systems fooled by boffins

15 Got Tips?

Updated Researchers in Germany have discovered how to obtain HTTPS security certificates for web domains they don't own – even if the certs are protected by PKI-based domain validation.

Essentially, some certificate authorities can be tricked into incorrectly issuing the cryptographic certs, meaning a miscreant can get a SSL/TLS certificate for someone else's domain and use it to create a malicious copy of that website. People fooled into connecting to the faked site will be told by their browsers that the connection is secure, when really they're visiting a spoofed version.

Dr Haya Shulman of the Fraunhofer Institute for Secure Information Technology (SIT), and one of the boffins behind told The Register a "weak off-path attacker" can – using nothing more than a laptop – effectively steal credentials, eavesdrop, or distribute malware using the method. The group at this stage withheld the names of the certificate authorities (CAs) that can be tricked into incorrectly issuing cryptographic certs.

In a paper seen by The Register, to be presented at the ACM's Conference on Computer and Communications Security conference in Toronto, Canada, in October, Dr Shulman's team wrote:

The attack exploits DNS cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker's public key to a victim domain.

The group has asked The Register not to republish the paper because it names affected certificate authorities. We have, however, seen a demo of a live attack by Fraunhofer SIT's team. The technique ensures the DNS domain validation checks run by the CA are performed, in part, using the attacker's DNS server rather than a server belonging to the domain's owner. This can be leveraged by the hacker to therefore obtain a cert for that domain.

"The attack is initiated with a DNS request," the paper explained. "To succeed in the attack, the attacker has to craft a correct DNS response before the authentic response from the real nameserver arrives."

The attack depends on getting said DNS responses broken into fragments, and then injecting malicious fragments to fool the CA into handing over the cert to the attacker. The first fragments of the response contain valid DNS challenge-response fields. The inserted fragments can be whatever the miscreant needs to complete the transaction so that he or she gets the cert.

Network admins will have worked out by now that the attacker needs to do some offline research to get this to work – they have to examine responses from the victim's nameserver to calculate "the offset where the fragmentation should occur."

The research team proposed a domain validation protocol they dubbed "DV++" to block the attack. In summary, DV++ uses a distributed model which sends requests to multiple certification agents.

"To pass a DV++ validation, domain owners must prove their ownership to a majority of the agents in a fully automated manner by responding to queries sent by the agents for the resource records in the domain."

Dr Shulman's collaborators in the project are Markus Brandt, Tianxiang Dai, Amit Klein and Michael Waidner. ®

Editor's note: This article was revised after publication to clarify that it is the websites being spoofed, not the certificates. The certs are handed over to the wrong person, in effect, and used to spoof legit sites.

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Browse mode: We're not goofing off on the Sidebar of Shame and online shopping sites, says UK's Ministry of Defence

Its servers merely record more HTTPS requests to Mail Online and Amazon than anywhere else

We'll pay £400k for a depth charge-proof robot submarine, says UK's Ministry of Defence

British military continues push for new autonomous tech

Ministry of Defence lowers supplier infosec standards thanks to COVID-19 outbreak

Updated Can't get assessors on-site to check SMEs' antivirus updates

UK's Ministry of Defence loads up £4.6m for one plucky IaaS and PaaS provider to host Oracle Primavera apps

Attention! Stand up straight you 'orrible lot!

UK's Ministry of Defence: We'll harvest and anonymise private COVID-19 apps' tracing data by handing it to 'behavioural science' arm

Analysis Plus: Serco plays email fail game by mass-mailing human contact tracers; NCSC gives feedback on feedback about beta app

Brit defense contractor hacked, up to 100,000 past and present employees' details siphoned off – report

Outsourcer Interserve holds a number of UK defense contracts, among others

Ministry of Defence's new payroll contract is, surprise, surprise, MIA: Missing In Action

Procurement heads fail to finalise specs for replacement deal, extend current agreement with DXC Technology

Cisco restores evidence of its funniest FAIL – ethernet cable presses switch's reset button

At least it’s a better excuse than Switchzilla’s ‘cosmic radiation errors’

Can't get infected via email if your messages aren't delivered: Seven-hour slowdown hits Symantec cloud filters

Wondering why your inbox was so clear? Bad news…

Never mind monitoring dead crims, Ministry of Justice has just palmed Serco another £800m

All is forgiven!

Tech Resources

The Cloud: How CISOs Can Embrace It (Wisely), Not Fear It

Cloud computing is one of the great transformational shifts in corporate information technology.

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Speed NAS & Cloud Data Migrations: Elastic Data Migration

Migrating data into faster, flash-based NAS and cloud storage can be tough. Learn how to migrate large production data sets quickly, and without errors or user disruption with …