basic auth request
Jon Ribbens
jon+usenet at unequivocal.eu
Wed Aug 25 15:06:38 EDT 2021
On 2021-08-25, Eli the Bearded <*@eli.users.panix.com> wrote:
> In comp.lang.python, Jon Ribbens <jon+usenet at unequivocal.eu> wrote:
>> Another attempt at combatting this problem is DNS CAA records,
>> which are a way of politely asking all CAs in the world except the
>> ones you choose "please don't issue a certificate for my domain".
>> By definition someone who had hacked a CA would pay no attention
>> to that request, of course.
>
> Yeah, but it works for the case of forgotten hostnames, a rare but
> real attack. Basically it works like this:
>
> $COMPANY puts out a lot of things on different IP addresses from
> a shared public(ish) pool like AWS and assigns different names
> to them. Later $COMPANY discontinues one or more of those things,
> terminates the host, and lets the IP address rejoin the public(ish)
> pool.
>
> $ATTACKER notices the domain name pointing to an unused IP address
> and works to acquire it for their own server. $ATTACKER then gets
> a cert for that domain, since they can easily prove ownership of
> the server through http content challenges. $ATTACKER now has a
> host in $COMPANY's name to launch phishing attacks.
How does CAA help with this? Unless the domain owner knows in advance
that they're going to forget about the hostname and prepares for it
by setting a CAA record that denies all CAs, the attacker will simply
get a certificate from one of the permitted CAs - since, as you point
out, they genuinely own and control the relevant IP address.
More information about the Python-list
mailing list