How to nab a HTTPS cert for a stranger's website: Step one, shatter those DNS queries...

Domain validation systems fooled by boffins

By Richard Chirgwin


Updated Researchers in Germany have discovered how to obtain HTTPS security certificates for web domains they don't own – even if the certs are protected by PKI-based domain validation.

Essentially, some certificate authorities can be tricked into incorrectly issuing the cryptographic certs, meaning a miscreant can get a SSL/TLS certificate for someone else's domain and use it to create a malicious copy of that website. People fooled into connecting to the faked site will be told by their browsers that the connection is secure, when really they're visiting a spoofed version.

Dr Haya Shulman of the Fraunhofer Institute for Secure Information Technology (SIT), and one of the boffins behind told The Register a "weak off-path attacker" can – using nothing more than a laptop – effectively steal credentials, eavesdrop, or distribute malware using the method. The group at this stage withheld the names of the certificate authorities (CAs) that can be tricked into incorrectly issuing cryptographic certs.

In a paper seen by The Register, to be presented at the ACM's Conference on Computer and Communications Security conference in Toronto, Canada, in October, Dr Shulman's team wrote:

The attack exploits DNS cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker's public key to a victim domain.

The group has asked The Register not to republish the paper because it names affected certificate authorities. We have, however, seen a demo of a live attack by Fraunhofer SIT's team. The technique ensures the DNS domain validation checks run by the CA are performed, in part, using the attacker's DNS server rather than a server belonging to the domain's owner. This can be leveraged by the hacker to therefore obtain a cert for that domain.

"The attack is initiated with a DNS request," the paper explained. "To succeed in the attack, the attacker has to craft a correct DNS response before the authentic response from the real nameserver arrives."

The attack depends on getting said DNS responses broken into fragments, and then injecting malicious fragments to fool the CA into handing over the cert to the attacker. The first fragments of the response contain valid DNS challenge-response fields. The inserted fragments can be whatever the miscreant needs to complete the transaction so that he or she gets the cert.

Network admins will have worked out by now that the attacker needs to do some offline research to get this to work – they have to examine responses from the victim's nameserver to calculate "the offset where the fragmentation should occur."

The research team proposed a domain validation protocol they dubbed "DV++" to block the attack. In summary, DV++ uses a distributed model which sends requests to multiple certification agents.

"To pass a DV++ validation, domain owners must prove their ownership to a majority of the agents in a fully automated manner by responding to queries sent by the agents for the resource records in the domain."

Dr Shulman's collaborators in the project are Markus Brandt, Tianxiang Dai, Amit Klein and Michael Waidner. ®

Editor's note: This article was revised after publication to clarify that it is the websites being spoofed, not the certificates. The certs are handed over to the wrong person, in effect, and used to spoof legit sites.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Ministry of Defence's new payroll contract is, surprise, surprise, MIA: Missing In Action

Procurement heads fail to finalise specs for replacement deal, extend current agreement with DXC Technology

Can't get infected via email if your messages aren't delivered: Seven-hour slowdown hits Symantec cloud filters

Wondering why your inbox was so clear? Bad news…

Ye olde Blue Screen of Death is back – this time, a bad Symantec update is to blame

Updated The wrong kind of intrusion protection

Symantec shares up as private equity suitors sniff consumer tentacle

$16bn slapped on table by Permira and Advent – reports

Sort your spending habits out, UK Ministry of Defence told over £20bn black hole

Public Accounts Committee recommends department chains its wallet shut

Life's certainties: Death, taxes, and Cisco patching more serious vulnerabilities

Switchzilla closes off 18 CVE-listed holes, get to work

When the chips are down, buy a software biz: Broadcom snaffles Symantec for $10.7bn

Legacy security outfit to vanish into the 'rightsizing' grinder

Former BAE Systems contractor charged with 'damaging disclosure' of UK defence secrets

49-year-old to appear at the Old Bailey next month

Judges dismisses majority of Cisco's 'insane' IP defence against Arista

Switch antitrust case rumbles on

Cisco delivers Patch Tuesday warmup with bundle of 18 bug fixes

Unified Comms, Jabber among targets for clean-up