undefined | Better HN

0 pointsmidasuni2y ago0 comments

Hijack the ip or dns entry and you break https as it’s trivial to get a new certificate and prove ownership of the DNS address adult the time.

0 comments

bawolff2y ago

Generally yes, but there is a slight mitigating factor that certificate transparency makes it very public who you are attacking.

In theory, if it was just your site ip that was attacked and not your dns provider, CAA record can protect you. Probably one of the few cases where dns-sec is actually useful. All that though is an edge case that probably doesn't apply 99% of the time.

3np2y ago

> All that though is an edge case that probably doesn't apply 99% of the time.

The same could be said for many necessary security measures.

CaliforniaKarl2y ago

Hijacking the IP would indeed allow you to respond to ACME HTTP-01 validations. That can be protected against by using RFC 8657: Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding (https://datatracker.ietf.org/doc/html/rfc8657). RFC 8657 extends the CAA record to say "Only this specific CA account may request certs for this domain" and/or "Only this specific validation method may be used when requesting certs for this domain".

Let's Encrypt has supported RFC 8657 for over a year now: https://community.letsencrypt.org/t/enabling-acme-caa-accoun...

ethbr12y ago

But then you show up on certificate transparency logs pretty quickly, no?

tialaramex2y ago

Well, the new certificate shows up, but so what? CT logs aren't like "Barry Shitpeas got a certificate for hugecorp.example" they just tell you what was issued, not why, not who in any useful sense was issued it, and they take up to 24 hours to do that.

What is the overlap between the set of people who think "pass1234" is a good password and the set of people who have great oversight of their cert issuance and would flag unexpected issuances ? I'd expect it to be approximately empty.

CaliforniaKarl2y ago

> … they just tell you what was issued, not why, not who in any useful sense was issued it …

They give you the certificate, which contains the issuer's CPS. If it's an issuer that you (the domain owner) don't recognize, you have at least a starting point for reaching out.

> … and they take up to 24 hours to do that.

Indeed, the Maximum Merge Delay is 24 hours. But in practice, by monitoring multiple CT logs, it takes just a minute from successful issuance to having the certificate show up in at least one CT log (see https://utcc.utoronto.ca/~cks/space/blog/web/WebProbeSpeedNe...).

rocqua2y ago

I imagine letsencrypt is checking if any certs were issued from the hijacked IP-range during the outage, and is moving to revoke those certs?

ethbr12y ago

Presumably the site owner would be the one monitoring CT. If they see there's a rogue certificate, they can take steps to get it revoked.

j / k navigate · click thread line to collapse

0 comments

bawolff2y ago

Generally yes, but there is a slight mitigating factor that certificate transparency makes it very public who you are attacking.

3np2y ago

> All that though is an edge case that probably doesn't apply 99% of the time.

The same could be said for many necessary security measures.

CaliforniaKarl2y ago

Let's Encrypt has supported RFC 8657 for over a year now: https://community.letsencrypt.org/t/enabling-acme-caa-accoun...

ethbr12y ago

But then you show up on certificate transparency logs pretty quickly, no?

tialaramex2y ago

CaliforniaKarl2y ago

> … they just tell you what was issued, not why, not who in any useful sense was issued it …

They give you the certificate, which contains the issuer's CPS. If it's an issuer that you (the domain owner) don't recognize, you have at least a starting point for reaching out.

> … and they take up to 24 hours to do that.

rocqua2y ago

I imagine letsencrypt is checking if any certs were issued from the hijacked IP-range during the outage, and is moving to revoke those certs?

ethbr12y ago

Presumably the site owner would be the one monitoring CT. If they see there's a rogue certificate, they can take steps to get it revoked.

j / k navigate · click thread line to collapse