[cabfpub] [EXTERNAL] Brazilian bank DNS heist
Ryan Sleevi
sleevi at google.com
Fri Apr 7 12:50:45 UTC 2017
It was in the follow-up message sent. Because it's same origin, it provides
no technical security value at present.
On Fri, Apr 7, 2017 at 8:49 AM, Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:
> Hi Ryan, thanks for the feedback.
>
>
>
> Can you elaborate on how EV only has value with pinning?
>
>
>
> Thanks, Bruce.
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Thursday, April 6, 2017 10:09 PM
> *To:* CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Cc:* Bruce Morton <Bruce.Morton at entrustdatacard.com>
> *Subject:* Re: [cabfpub] [EXTERNAL] Brazilian bank DNS heist
>
>
>
> On Thu, Apr 6, 2017 at 7:52 PM, Bruce Morton via Public <
> public at cabforum.org> wrote:
>
> What if the bank used EV and there was an error if there was no EV
> certificate?
>
> Could this be done by using something like an HSTS header which also
> stated EV-only? When the Subscriber receives a DV certificate, but has
> stored a header for EV-only, then there would be a browser error.
>
>
>
> That exists already. It's called pinning. It's the only reason EV has any
> value, and doesn't need any UI.
>
> Sounds like a great argument for a bank to require identity and
> authorization, rather than just domain control.
>
> Bruce.
>
> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *philliph---
> via Public
> *Sent:* Thursday, April 6, 2017 1:46 PM
> *To:* CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Cc:* philliph at comodo.com
> *Subject:* [EXTERNAL][cabfpub] Brazilian bank DNS heist
>
> Several folk have asked me to take a look at this:
>
> http://www.darkreading.com/attacks-breaches/cybercriminals-seized-control-
> of-brazilian-bank-for-5-hours/d/d-id/1328549?_mc=NL_DR_EDT_
> DR_weekly_20170406&cid=NL_DR_EDT_DR_weekly_20170406&elqTrackId=
> ebd6c41927c24e3099907130009f169c&elq=4cc869335a354df394b4e640ef3699
> 50&elqaid=77725&elqat=1&elqCampaignId=26175
>
> What happened here was that a hacker took over a banks DNS settings for 5
> hours and performed an extended phishing attack. They then acquired certs
> for the domain while they had control of it. So accepting that this is one
> incident, albeit one likely very typical of things to come, could CAA have
> helped?
>
> As it stands, the answer is no because CAA is signaled through the DNS and
> so the attackers could control those as well. DNSSEC doesn’t help either
> and nor does CT as presently specified. Pinning does solve this one
> specific problem but only on TOFU terms.
>
> Some observations:
>
> * Any solution is going to have to involve some form of forward acting
> statement ‘do this for the next X hours’.
>
> * We now have two mechanisms that are viable as publication
> infrastructures - DNS and CT.
>
> * The problems with pinning are real, very few companies can risk shutting
> themselves down for an extended period if they goof. The problem with
> pinning is that the time period really does need to be fairly long if it is
> to be any use. I do not visit my bank every day. I probably don’t visit for
> a month at times.
>
> * A weaker criteria such as ‘must get an EV cert’ or a much shorter time
> period than is needed for pinning (24 hours) is much more likely to be
> acceptable
>
> Ideas?
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170407/12d056ef/attachment-0003.html>
More information about the Public
mailing list