There's a couple things about modern DNS that just doesn't make sense. There's probably a good explanation buried somewhere in a mailing list or three.
The other one that still astounds me is that DV certificates rely entirely on DNS control for validation prior to issuance, and browsers trust that system, but there still exists no way for me to cut out the middle man and put my own domain-specific CA Cert in DNS directly.
CA can expect that its connection to your DNS server is reliable and not tampered. So their check is reliable. User can't expect that his DNS is reliable. So HTTPS must work with those conditions: when user's DNS server might be controlled by bad actor. DNS security is supposed to solve that, but it's not widely used AFAIK.
CAs should be able to afford to make the requests from multiple sources and compare the results.
Alternatively they can use secondary challenge-response auth which depends on some credentials being deployed to your server. Mitm-ing it wouldn't give the attacker anything interesting in that case.
CAs bet the farm on the idea that doing two separate DNS queries instead of one will keep them safe. This is a ridiculous assumption. Sophisticated attackers can often successfully attack multiple targets at once.
They can use a secondary challenge, but this being optional completely defeats the purpose. A MITM attack will allow an attacker to pretend to be the target during creation of a new cert, tricking a random CA into giving them a valid cert. You do not need to use the CA that the site owners use, so their use of an extra challenge is irrelevant.
Lots of assumptions which are ridiculous in theory are pretty good in practice. Having to MITM multiple servers just to get a cert (which will most likely be detected on the CT logs) is orders of magnitudes harder than just clicking a button on Firesheep or adding a few lines of code to a router malware.
Credit cards literally rely on every single merchant not leaking their info, yet as flawed as that is, there's no great pressure to replace them.
Credit cards have manual charge back as a fallback with human driven process. The equivalent fallback for certificates does not exist. You can only revoke.
They're not just doing two queries. Anybody on HN with a strong opinion about DNS and CAs and a bare minimum of programming ability could rig up a fairly sophisticated DNS validation service in under a week. Just think about how you would do it, given a pretty reasonable budget.
I'm not thinking about a sophisticated service. I'm thinking about the weakest link in the chain that I could possibly exploit to generate fake certs. Pick the least secure CA with the least secure validation method and you now have valid fake certs.
Even if DNS by itself was secure enough to validate, this is a single factor and there are many ways to exploit a single factor. Why a secondary mechanism/factor isn't required for critical infrastructure makes no sense.
I didn't say they do that. Just that it's one of the ways to avoid a single, targeted mitm. There are many other approaches and cab baseline requirements (3.2.2.4.) are not very specific on what's specifically expected.
To test this, I just now acquired a Let's Encrypt cert using `certbot certonly` while tailing the logs. I received only a single request, from 64.78.149.164. The cert was issued. They did not appear to take a second measurement.
HTTP challenges do not offer meaningfully increased resistance to MitM over DNS challenges, and require measurements from multiple vantage points just as much as DNS challenges do.
No, but it is a good example that CAs don't require DNS changes to assign a cert. One just needs to MITM an HTTP connection for a single request. (Or, depending on the CA, control one of the following email addresses: "admin@example.com, administrator@example.com, postmaster@example.com, webmaster@example.com, hostmaster@example.com")
Local network tampering (ARP etc) at registrar end, routing attacks such as BGP hijack, below-IP attacks in transit (eg MPLS hijack, malicious transit router, QUANTUM INSERT, other fiber tap approaches, ...) DNS implementation bugs in UDP spoofing countermeasures, local network tampering at domain holder end, social engineering or extortion against transit or stakeholder sysadmins, etc. It's a long list of possibilities.
> CA can expect that its connection to your DNS server is reliable and not tampered
Why? It goes over infrastructure that you nor they control.
It might be worth illustrating what happens here, as it's not immediately clear from common DNS settings or common commands. First, the client asks their local DNS server, the one you get via DHCP or configure (for example 8.8.8.8 which is by definition already outside your network, but for argument's sake let's assume that they're smarter than that and they pick one inside their own network). Let's say this one doesn't have it in cache, so then it has to go out and ask the TLD (let's assume it has the TLD cached).
The TLD, for example `.com`, will say "the name servers for your.example.com can be found at ns.your.example.com" and it gives the IP addresses for those. Now the local resolver at the CA has to go and ask there for your domain. In this final step, if nowhere else, it will have to leave any sort of trusted network and venture into whatever place the user's servers are at. This could be anywhere in the world, with all sorts of intermediate networks.
> Why? It goes over infrastructure that you nor they control.
They're able to use many secret locations to perform the query.
There is a theory that it is very unlikely an attacker can detect and get leverage over every network between every one of those secret locations for an indeterminate amount of time, without being discovered.
What you describe is a possible technique that CAs could use, so let's stipulate that some CA does this. We certainly can't conclude that all or even many CAs do this.
One very simple reason is that they tell their service provider that "No" they don't want the brilliant new anti-whatever service it's offering by tampering with DNS queries.
Alas "No" isn't an option for that public WiFi access point you're using, or most mobile service, or your mom's Internet, the average corporate workplace, and so on. So even though this is hardly foolproof it makes a huge difference.
Attacking server infrastructure is order of magnitude harder than attacking user. Those who can do this attack, can just ask their CEO to issue them a certificate via subpoena.
Yet both the user and DV certificate issuers rely on the same DNS that you consider unreliable. So you seem to dismiss DV certificates altogether but your comment seems to imply that you only want to dismiss certificates as DNS records. There's something very inconsistent about your comment.
That inconsistency is that users are generally on much less trustworthy networks and DNS right now is rarely authenticated (DNSSEC is not wide spread and even then most clients don’t authenticate it)
While not perfect it’s generally quite true for the majority case.
Actually, a large number of hosts are behind a DNSSEC validating resolver. And that's because the use of Google's public resolvers is extremely wide spread.
I don't know if they document it somewhere, but it is essentially trivial for letsencrypt to use a DNSSEC validating resolver.
So that means that if you care about DV security, you enable DNSSEC.
DNSSEC doesn't protect the connection between a browser and Google's DNS server. Attackers can simply edit the responses generated by Google's DNS. Moreover, virtually nobody signs their domains with DNSSEC (why would they? It's all downside.) So CA's can't require DNSSEC, or depend on it being there. You can enable it, but it's pointless, because the attack against DV that DNSSEC is meant to prevent can be launched whether or not you enable it. DNSSEC has essentially no practical impact on DV.
Although CAs don't (not can't, neither the CAB rules nor any major trust store programme requires you allow names without) require DNSSEC they absolutely can insist on figuring out whether a name is protected by DNSSEC and enforce that if so, since the root is signed and DNSSEC has a closed world assumption (we can get a definitive signed answer which says "No" this domain isn't signed).
It's interesting, even though the $0 price isn't intended to be the main draw a large number of domains with broken DNS fixed it to get Let's Encrypt working rather than pay a CA that doesn't care...
But checking CAA with DNSSEC is mandatory (this caused much feather spitting)
So if you have DNSSEC you can deny all the CAs you don't trust. If a bad guy leaves the CAA record alone they can't get a cert. If they try to replace the CAA record or deny it exists they fail DNSSEC checks.
If your chosen CA agrees to only use a method that's actually secured you get an actual bona fide panacea, for the very affordable price of deploying DNSSEC and CAA, automating cert issuance and getting your DNS config right.
There's so much brokenness here that it's hard to know where to start rebutting this. I took an hour to game through this with some people who actually work on CA initial identity verification security; here's where I land:
* First, most CAs don't do DNSSEC today, or, if they do, do DNSSEC fail-open.
* Second, CA's can already do multi-perspective DNS lookup, which means that a practical attack to defeat CAA over standard DNS requires an on-path attacker. But if the attacker is on-path, most of the mechanisms CAs use to validate a domain fail, even if you use DNSSEC.
* Finally, there's already a replacement for all this stuff in progress: RDAP, a secure JSON API that allows data to be pulled directly from registrars. Every mainstream browser and every CA/B forum CA voted to add it to the BRs; it's going to be implemented. If you really believe that something like CAA is the future for DV certs, then it seems pretty obvious that RDAP is going to be the way that happens.
Whilst it's nice that RDAP is being worked on what you've got there is very much jam tomorrow. It takes a powerful imagination to see the CA/B vote to allow RDAP (when it becomes available, which may be never for many TLDs) and interpret it as a death blow to DNSSEC, but I admit you do have such an imagination.
Your first point argues from an alleged fact, not in evidence, that "most CAs" don't obey the Baseline Requirements in respect to their requirement to use DNSSEC to avoid an on-path attacker replacing or removing CAA records. Do you have such evidence? As I said, this requirement caused CAs to spit feathers, but that's also true of e.g. record keeping requirements and CAA checking itself. One of the unexpected side benefits of Let's Encrypt at scale is that arguments go like this:
Big CA: This requirement is crazy, we issue a vast number of Web PKI certs, and the requirement would cause us to do X for most of those certs, that's just not technically feasible, the requirement must be removed.
Let's Encrypt: We do X for every single cert we issue. Big CA the logs show you issuing only 4% as many certs as us, are there hundreds of times more than you don't log?
Big CA: Um, er, oh, we just realised our single-threaded PHP program might be a bottleneck, we're investigating upgrading to PHP4 to work around that.
But then your second point argues the reverse, that CAs "can" do multi-perspective, and so even though they mostly don't we should pretend they all do. Then it jumps from this backwards argument to claiming all of the Ten (well, nine now) Blessed Methods are vulnerable to an on-path attacker "even if you use DNSSEC", when in fact several are not.
Try it, write down the Ten Blessed Methods as they stand today (yes there are currently nine), then mark whether an on-path attacker succeeds against this method when DNSSEC is in place
3.2.2.4.3, 3.2.2.4.7 and 3.2.2.4.12 are unaffected by an on-path attacker. 3.2.2.4.3 is out-of-band, which I'm sure won't bother a nation state adversary like the NSA, but is otherwise pretty good, 3.2.2.4.7 is in DNS itself, and so protected by DNSSEC, and 3.2.2.4.12 is a simple database lookup, just one that's only possible if your CA is also your registry/ registrar.
I consider unreliable routers that deliver response from DNS to user, especially the last router. If that last router is controlled by attacker, he still can't break HTTPS.
I think he makes a fair point. Browser vendors may be trusting CAs to do more due diligence on their DNS lookups than they might expect browser users to even be able to provide.
I still think there's a better way, though. Surely it must be possible to do some consensus through WebRTC and end up with something that lets me run my own domain-specific CA, at least for DV certs.
Most of the things that are "curious" about DNS I think comes from its lack of a version.
DNS has no version, so it has no obvious way to extend itself by allowing for graceful upgrades. So you can't just change behavior and have clients support a particular version. Everything has to be backwards compatible with something written in 1984.
The only serious attempt at extending DNS died because the specs and DNS admins allowed the extension mechanism to be optional. Now, most networks break the extension, and the DNS just limps along because nobody is willing to implement a sane upgrade path.
And the middlebox brokenness is due to a lack of versioning. Virtually all middlebox brokenness is a result of a lack of versioning and poor upgrade paths - usually from people demanding backwards compatibility above all else.
I view it as more of a consequence of "fail closed" thinking than a lack of versioning. As we've seen recently with TLS [1], even protocols with explicit versioning suffer from middlebox brittleness.
> put my own domain-specific CA Cert in DNS directly.
Remember that this allows any of your government or people controlling the zone to transparently put the cert there too. (For potential problems see [0]).
With the CA system (that I personally also don't like) at least the certs are logged in Certificate Transparency logs so you see any potential attacks.
AFAICT, anyone who controls .com can add or replace a cert for ycombinator.com, but only visibly. If they do it, they show the change to the entire world at once, because .com is signed with dnssec. Right?
Your parent mentioned Certificate Transparency. Under CT all the public CAs log certificates they issue, and everybody can see the logs, programmatically (with cryptographic security) or via a log monitor like crt.sh
So yes, bad guys operating a TLD can trick a CA into issuing for a domain under theirs, but the CT logs would preserve evidence of this cert existing, and the CA is required to keep records of why it was confident to issue. Monitors would know about the cert in 24 hours (usually much less)
The idea behind the attack they're talking about is that the USG has de jure control over .COM's DNSSEC keys, and so they can in fact edit .COM transparently.
DNS is actually the least sketchy component in the DV story.
Until about a year ago the situation was that each CA could do anything they (without even peer review) thought seemed good.
Then we got the Ten Blessed Methods, a specific list of ways to verify that your subscriber really controls the names they want a cert for.
Most of the Blessed Methods involve DNS, but not all of them, some are relying on paper documents, some use WHOIS and out of band communications (e.g. Fax!). And of those which use DNS, many involve even less secure elements, email, plaintext HTTP, that sort of thing.
So there's still work to do, but we're headed in the right direction.
The other one that still astounds me is that DV certificates rely entirely on DNS control for validation prior to issuance, and browsers trust that system, but there still exists no way for me to cut out the middle man and put my own domain-specific CA Cert in DNS directly.