Buy from the highest-rated provider   Buy SSL.com Certificate x

Kaminsky DNS Flaw + Domain Validated SSL = Phisher's Paradise

The recent news about a DNS flaw discovered by Dan Kaminsky has been highly publicized and the details of the flaw have even been released. The flaw effectively allows someone to redirect a vulnerable DNS server so that www.paypal.com may actually go the an attacker's IP address instead of PayPal's IP address. This would be complately masked to the user.

How does this affect SSL?

SSL Certificates are normally  issued only to a domain name, not an IP address. If an attacker was able to get an SSL certificate for www.paypal.com, they could set up a phishing site with the SSL Certificate and a customer would see the lock icon and think that they were using PayPal's website. What would stop a phisher from getting an SSL Certificate for another company's domain name? It depends on the type of certificate. 

SSL Certificate Types

Normal SSL certificates go through a validation process that not only verifies that the company that is getting the certificate owns the domain name but also verifies that they are a legally registered entity. An EV SSL Certificate, requires more detailed validation of the company and domain name as well as verification of the certificate requestor's authority.

Then there are domain validation SSL certificates (offered by companies like GoDaddy and GeoTrust/RapidSSL). These certificates go through a much less stringent verification process. Normally they only rely on a response to an email that is sent to the address in the WHOIS record or an administration address at the domain name.

The Problem With Domain Validated SSL Certificates

How can a phisher get a domain validated SSL certificate for www.paypal.com? Just use Kaminsky's DNS flaw to route www.paypal.com to their own mail server, respond to the verification email, and voila. Now use the same DNS flaw to route as many users as possbile to your version of www.paypal.com and start collecting login details. There are certainly difficulties with carrying out this process but the possibility is still there. This problem is avoided with EV SSL Certificates and (for the most-part) normal Organization validation SSL certificates because they also verify the company and the requestor's authority.

What does this mean for the end-user? It means end-users should verify that they are using patched DNS servers (like OpenDNS) and also be sure that they investigate browser error messages. For example, if someone signed their own certificate for www.paypal.com and used the DNS flaw to redirect a user to his phishing site, the user would see an error stating that the SSL certificate is not signed by a trusted authority.

Originally posted on Tue Aug 5, 2008

Comments


Duane(2014-12-13)

The real issue here is the browsers virtually treat all root certs in the browser as if they have identical proceedures and policies, so if one CA is affected by this BIND* issue, then the browser will happily treat their cert just the same as every other CA that isn't effected.

At the end of the day X.509 needs a serious over haul, and Mozilla and others missed the boat big time during the time EV was being drawn up, they need to be able to give end users more control, or at least a lot more info on the CA doing the signing, that way if one CA starts issuing bad certs for whatever reason that CA is effectively ostracised as a result. At present all CAs and by default all certificates are virtually identical to most end users, they don't really care if the bar is green or yellow no matter how much the snake oil sales men keep trying to push the smelly cow poo.

* Unlike people keep spouting this isn't a general DNS problem, well depends what the stats are on BIND and BIND derived v other deployments for resolving name servers I suppose.

maxx(2014-12-13)

The CAB Forum did develop the EV standard, but what is most important is they also developed an industry standard for validation of these certificates. For any CA to issue these certificates, they must be audited on an ongoing basis or they will loose the right to issue the certificates.

This is a good thing for the industry and provides the type of policing that was not happening before.

The difficult part is that the EV Validation process is stringent, and difficult to execute on international organizations or small companies. This will improve over time as the forum is constantly listening to the CA's to try and enhance the specifications to make business easier while ensuring high integrity of issued certificates.

Once a CA figures out how to cost effectively issue EV's, you will see other cert types disappear.

The reason is simple: If you could use a certificate that validates the web sites identity (which means if you were ripped off you have access to legally validated contact information for the site owners) would you even browse to other sites?

If you could protect your site with a certificate that is issued quickly and costs as much as a GoDaddy DV cert, yet provides your customers with the confidence that you are contactable in any circumstance.... would you pass it up?

EV is here to stay, it will get easier to obtain, quicker to issue and remain a strong validation source that will continue to grow in value as vulnerabilities like Kaminskies continue to be found.

Duane(2014-12-13)

But they aren't, you are dealing with multi-jurisdictional areas if not multi-countries so even if you know who you often have little recourse unless you have the resources to sue them in their jurisdiction.

Identity is one thing, but how many people get ripped off year after year after year in person, how exactly will EV save you?

The best advice I can give is use a credit card, you have easy recourse with your financial institution who in turn would have contracts or agreements with similar organisations to return funds if you are ripped off.

Anyone thinking they can get a more effective recourse more easily is living in a pure fantasy world and they probably believe other fairy tales are true too.

Advertisement • Hide