[cabfpub] [EXTERNAL] Brazilian bank DNS heist

Bruce Morton Bruce.Morton at entrustdatacard.com
Fri Apr 7 13:27:32 UTC 2017

Sorry I missed that, but isn’t pinning high risk? I don’t think that any CA would recommend pinning as it is unsupportable; we can’t do anything when it fails. I think Subscribers should review pinning before deploying, https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead.

I think the value of EV is that those certificates are not issued to attackers. So it would be great if a Subscriber could state that their site only uses EV and that the browser respected that statement.

I also think that this statement might be better to be put in the HSTS header. HSTS is low risk, EV is highly available and stating EV-only would be applicable to most CAs. This allows the Subscriber to move from one CA to another without bricking their site by pinning to a root or intermediate.

Anyway, to answer Phil’s question about ideas, this is mine.


From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, April 7, 2017 8:51 AM
To: Bruce Morton <Bruce.Morton at entrustdatacard.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] [EXTERNAL] Brazilian bank DNS heist

It was in the follow-up message sent. Because it's same origin, it provides no technical security value at present.

On Fri, Apr 7, 2017 at 8:49 AM, Bruce Morton <Bruce.Morton at entrustdatacard.com<mailto:Bruce.Morton at entrustdatacard.com>> wrote:
Hi Ryan, thanks for the feedback.

Can you elaborate on how EV only has value with pinning?

Thanks, Bruce.

From: Ryan Sleevi [mailto:sleevi at google.com<mailto:sleevi at google.com>]
Sent: Thursday, April 6, 2017 10:09 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Cc: Bruce Morton <Bruce.Morton at entrustdatacard.com<mailto:Bruce.Morton at entrustdatacard.com>>
Subject: Re: [cabfpub] [EXTERNAL] Brazilian bank DNS heist

On Thu, Apr 6, 2017 at 7:52 PM, Bruce Morton via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
What if the bank used EV and there was an error if there was no EV certificate?
Could this be done by using something like an HSTS header which also stated EV-only? When the Subscriber receives a DV certificate, but has stored a header for EV-only, then there would be a browser error.

That exists already. It's called pinning. It's the only reason EV has any value, and doesn't need any UI.
Sounds like a great argument for a bank to require identity and authorization, rather than just domain control.
From: Public [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of philliph--- via Public
Sent: Thursday, April 6, 2017 1:46 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Cc: philliph at comodo.com<mailto:philliph at comodo.com>
Subject: [EXTERNAL][cabfpub] Brazilian bank DNS heist
Several folk have asked me to take a look at this:
What happened here was that a hacker took over a banks DNS settings for 5 hours and performed an extended phishing attack. They then acquired certs for the domain while they had control of it. So accepting that this is one incident, albeit one likely very typical of things to come, could CAA have helped?
As it stands, the answer is no because CAA is signaled through the DNS and so the attackers could control those as well. DNSSEC doesn’t help either and nor does CT as presently specified. Pinning does solve this one specific problem but only on TOFU terms.
Some observations:
* Any solution is going to have to involve some form of forward acting statement ‘do this for the next X hours’.
* We now have two mechanisms that are viable as publication infrastructures - DNS and CT.
* The problems with pinning are real, very few companies can risk shutting themselves down for an extended period if they goof. The problem with pinning is that the time period really does need to be fairly long if it is to be any use. I do not visit my bank every day. I probably don’t visit for a month at times.
* A weaker criteria such as ‘must get an EV cert’ or a much shorter time period than is needed for pinning (24 hours) is much more likely to be acceptable

Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170407/fe20c728/attachment-0003.html>

More information about the Public mailing list