You wouldn't really need to "forge" SSL certificates, since you have control of the domain's DNS you can just request a long-term certificate and use DNS/HTTP as a validation method. Many/most CA's support this already.
To be clear though, you only have control of the domain's DNS in the specific case that:
- The original owner made that specific service the authoritative server for the domain with their registrar
- They then either never added the domain to the service, or added it, and later removed it...or killed the entire account.
As I mentioned, this is certainly an issue. But, the domain is basically abandoned. It's very similar to letting it expire. Something that should be fixed, for sure, but not a way to take over an actually functioning website.
Of course. I'm a bit confused on this emphasis... Does the post make it seem as though you can take over an active site? The point of this attack is merely to take control of many domain names and doesn't make any point about taking over live websites (at least, this was not my intention). You are taking over control of the DNS of these domains, just because they are not actively hosting something doesn't make this less true.
The idea would be that a user has simply deleted/released the zone for a specific domain under their account. This could have happened because they plan on moving it later or because a lack of payment/service termination has occurred. This allows an attacker to obtain thousands of fresh domains easily with very little effort and likely no payment at all which can be used in malware campaigns/etc. Some common things I saw were indeed older unused domains, domain portfolio's of domain resellers/squatters, and even domains in restricted TLD spaces such as .gov, .edu, etc. These would certainly have value despite no longer being used.
Let me know if I've been unclear or am missing something here.
The author specified that his source for finding the domains in the first place was the .com and .net zone files. This means that the domains were actively pointing to Google/DO/Rackspace's nameservers.
The author would therefore have complete control over the orphaned domains after the takeover.
The reason for the emphasis is that the article isn't clear on two points.
- By definition, his method of finding domains only finds domains that aren't in active use. (domain servers in the ns records return fail/refused).
- It uses the terminology "taking over", and you're saying "complete control". However, if the real owner of the domain wanted control back, they would simply log into their registrar and change the NS records...very low effort.
a) With control of a domain's name servers you can set up working mail handling for a domain.
b) At least some HTTPS cert providers allow verification of domain ownership using email. eg click on a link in a mail they send to (say) postmaster@targetdomain.com
With those two in place, you can generate HTTPS certs for the domain. I'm not yet familiar with LetsEncrypt, but if they allow domain verification through email then this would even be a cost free exercise.
