[cabfpub] [EXTERNAL] Brazilian bank DNS heist

Ryan Sleevi sleevi at google.com
Thu Apr 6 19:09:12 MST 2017


On Thu, Apr 6, 2017 at 7:52 PM, Bruce Morton via Public <public at cabforum.org
> wrote:

> What if the bank used EV and there was an error if there was no EV
> certificate?
>
>
>
> Could this be done by using something like an HSTS header which also
> stated EV-only? When the Subscriber receives a DV certificate, but has
> stored a header for EV-only, then there would be a browser error.
>

That exists already. It's called pinning. It's the only reason EV has any
value, and doesn't need any UI.


> Sounds like a great argument for a bank to require identity and
> authorization, rather than just domain control.
>
>
>
> Bruce.
>
>
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *philliph---
> via Public
> *Sent:* Thursday, April 6, 2017 1:46 PM
> *To:* CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Cc:* philliph at comodo.com
> *Subject:* [EXTERNAL][cabfpub] Brazilian bank DNS heist
>
>
>
> Several folk have asked me to take a look at this:
>
>
>
> http://www.darkreading.com/attacks-breaches/cybercriminals-seized-control-
> of-brazilian-bank-for-5-hours/d/d-id/1328549?_mc=NL_DR_EDT_
> DR_weekly_20170406&cid=NL_DR_EDT_DR_weekly_20170406&elqTrackId=
> ebd6c41927c24e3099907130009f169c&elq=4cc869335a354df394b4e640ef3699
> 50&elqaid=77725&elqat=1&elqCampaignId=26175
>
>
>
> What happened here was that a hacker took over a banks DNS settings for 5
> hours and performed an extended phishing attack. They then acquired certs
> for the domain while they had control of it. So accepting that this is one
> incident, albeit one likely very typical of things to come, could CAA have
> helped?
>
>
>
> As it stands, the answer is no because CAA is signaled through the DNS and
> so the attackers could control those as well. DNSSEC doesn’t help either
> and nor does CT as presently specified. Pinning does solve this one
> specific problem but only on TOFU terms.
>
>
>
>
>
> Some observations:
>
>
>
> * Any solution is going to have to involve some form of forward acting
> statement ‘do this for the next X hours’.
>
>
>
> * We now have two mechanisms that are viable as publication
> infrastructures - DNS and CT.
>
>
>
> * The problems with pinning are real, very few companies can risk shutting
> themselves down for an extended period if they goof. The problem with
> pinning is that the time period really does need to be fairly long if it is
> to be any use. I do not visit my bank every day. I probably don’t visit for
> a month at times.
>
>
>
> * A weaker criteria such as ‘must get an EV cert’ or a much shorter time
> period than is needed for pinning (24 hours) is much more likely to be
> acceptable
>
>
>
>
>
> Ideas?
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170406/8cbb7f85/attachment-0001.html>


More information about the Public mailing list