IETF Logo Mail Archive

Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security

Christian Saunders <Christian.Saunders@sjrb.ca> Fri, 22 February 2019 16:59 UTC

Return-Path: <Christian.Saunders@sjrb.ca>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8628130F02 for <captive-portals@ietfa.amsl.com>; Fri, 22 Feb 2019 08:59:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sjrb.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4c8gBWTRmcos for <captive-portals@ietfa.amsl.com>; Fri, 22 Feb 2019 08:59:14 -0800 (PST)
Received: from prdcg4ipta02x-ext.shaw.ca (prdcg4ipta02x-ext.shaw.ca [204.209.208.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E436C130F07 for <captive-portals@ietf.org>; Fri, 22 Feb 2019 08:59:12 -0800 (PST)
X-IronPort-AV: E=McAfee;i="5900,7806,9174"; a="198706291"
X-IronPort-AV: E=Sophos;i="5.58,400,1544511600"; d="scan'208";a="198706291"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SJRB.onmicrosoft.com; s=selector1-sjrb-ca; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=toU2lDPhDJGKo5yqrQLlf6UWnE/ishueQ4vwKeL9ITk=; b=Bi4gfnyKfrFY6jv7HJrB7mgOD/xqcI1veSccqwYg9Ho/MIW+/xxp6SFwtW2yG/om20mehOBqXdy+5bjiZjD9aQQ73h3VMLjRdaxqF7dM+OXwQdYo9pmBmKajNRrqPdMxezIxQ/uBk/2LWChuZMTTbsQHpCvddEi6o6Eg8HEveE4=
From: Christian Saunders <Christian.Saunders@sjrb.ca>
To: "captive-portals@ietf.org" <captive-portals@ietf.org>
Thread-Topic: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
Thread-Index: AQHUys/tc6dYs7blh06lnFEfyzMMBA==
Date: Fri, 22 Feb 2019 16:59:08 +0000
Message-ID: <09804b69-0307-888e-b226-3e165b0e13b3@sjrb.ca>
References: <11662.1550772024@localhost> <e73dc872-3a38-94d1-dfc6-ac1244a337cb@sjrb.ca> <28703.1550853681@localhost>
In-Reply-To: <28703.1550853681@localhost>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
x-originating-ip: [64.59.137.153]
x-clientproxiedby: CO2PR18CA0058.namprd18.prod.outlook.com (2603:10b6:104:2::26) To CO2PR04MB2166.namprd04.prod.outlook.com (2603:10b6:102:c::20)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Christian.Saunders@sjrb.ca;
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3d30c746-5aeb-4436-b946-08d698e70f97
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600110)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:CO2PR04MB2216;
x-ms-traffictypediagnostic: CO2PR04MB2216:
x-ms-exchange-purlcount: 3
x-microsoft-exchange-diagnostics: 1;CO2PR04MB2216;23:lcz40TI7ZBY3MfWWXOXlRNiTbK2FmbBRRzFDcAN53qCnDF0UlFJXpeJIo8kmoIukHTEwb9YBip0R8YVFcfraytifPHVALtunu0zPreUFj9uZDiM0yFEte14uR0P4cgA+K2tvfQECPGbzYhxMfpx4Ta7X5d0J5n++tomvqNLVd6T037/TyRj/MhZ79g+erkuK18tZBnuoX9WNTImHWuj1zWhWHRuO/Axdd71Lk+M4yGtZ4b3W6t5alC4Ou/6m90sHOwL64kLEbY1jbMrNk4V2aEmrWJxKHrb8jzlfWOwuwa+co9OPcSW1P4qrVaLl8v2WsSvj3SZXmejbuVv6oiTMS94A7ucTOInsATx98wDJu6tnva8/Wjjod212ZCdQPEVRdi38rl5Glrou06VTlGTzqdpV3a3XHTV9xFhW/ELBLPOHIC88jWPM3SDEQe75tLZPuyQnP20CRAlxuZxCJebP3BuVpIWyFDhiA3QC+d+FWXx1t3ZeMtX+FHP+3XQ+ef4YQsSQx2GbwbSjWpuWFnjdpsKbBA7jyLW1aPviiwV8YJp2F5bNK0JGQZBhiAkZc0RU5cT2sxNKFGTEmuydLPXxWZM2adQkpJ1DQcyOne3aa8zV7ZK3h7Bi4sJff6JeSuD9bvvRC6C1Vd6c3V14SzJX5H8Q5feH8t1eoA3FAkXU3+ekUi4Cqq3iMhD/0ZyGsuKZl2zVqx1vUxDID84kdwlz2Obst1KSk6tCm27jpsN2JA9vpMKhZAF7/qtjXDV/guudbv4dGFTdBsj2HtP083zjUbmmnPgekqgBxt7OAy+TfZ9CZenPhxnzGDd1o5WxWD2v/Q/TMVY9LH8GxjXD0upm9gNYmuGrJfPO9JLmJOk2RAoZVpZC5rtqD0Rv8OD6XATpixJhQRxGqycCRANztMn6NC0IFUPLIKg+AlZKQAyAYJzsYbMFQ9VoXRaKMFej3Ti8fUG3iQzWgcuDU82Cd/wdaHcvC3xrt1PX+8trXHbWIFFM+/LbKRGu8zFqa8LgSj/0CvgH+D1fSBoype10ahflPKhnhuw/2vqgqFK1JckRCI4YWvUk/uIQl/S8FoW6RjKkmNIZqhsCYLU+ca9YaEcyevkE1D+pC82aUjYGV/8xBtgXuOkEJGZeWDODdxqFo0DA0Xuoq1O+fjDAg9YoUDCGFaaQsnpHXcfpgoIPy3MAFXqPJDodul3xrDFnvMhrWQTK+J++ARM0L/M1VXQ0EqC0+vmgsEFC/xSYx2FiRgvPxd3jezzv01yq7FIDmR5/X1B+qtY/BUuY/Q1ehndrWtslPqw2UhvOOs4igp/50zrXLoxGgZUSJfzPFnOmc1Ie7E9bMiVMQ7GL63L7/ut6wkWlQkGmAKhmSAFyyWS8YrlAG9K2UPV255HJTdF6ssO4v1x1sLfHuzqeKwDwGuP6KFo/r4P++AkkpWB+rmY3NiJi7Ecilucy2WoJhDjYqdzN2XCPwga+M1zonUJ+4UFtrl8ssLFUEIe1VmIV+ipN/SjUe8k=
x-microsoft-antispam-prvs: <CO2PR04MB221604E0B41DD85B7E87AAFF897F0@CO2PR04MB2216.namprd04.prod.outlook.com>
x-forefront-prvs: 09565527D6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(376002)(136003)(396003)(346002)(199004)(189003)(5660300002)(478600001)(64126003)(2906002)(52116002)(68736007)(58126008)(76176011)(6116002)(3846002)(316002)(71200400001)(71190400001)(72206003)(14454004)(36756003)(2501003)(966005)(2616005)(105586002)(7736002)(6306002)(6512007)(6436002)(106356001)(11346002)(5640700003)(476003)(446003)(86362001)(256004)(74482002)(14444005)(97736004)(65806001)(65956001)(5024004)(31696002)(31686004)(486006)(66066001)(229853002)(26005)(8936002)(53936002)(186003)(6916009)(53546011)(6506007)(386003)(99286004)(102836004)(6246003)(6486002)(305945005)(25786009)(81156014)(81166006)(65826007)(2351001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO2PR04MB2216; H:CO2PR04MB2166.namprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: sjrb.ca does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: hCgz78zf51Jwv9y+o1qDA4BXgdyQepToqzdyg9SPeyhqFVNYfAMwuINfB8GijU0otRAqiT41DLQQ+jI8njgsI9Zha8cEhzbGcslJMu8zNldgJZyYze9kFny5hV8GyATWb9Vd1A70J83v3x7rp8nwrWv1ulu0GEMACC0XbSzA+O1y0khvjo75FUzC6F1U19aA9ghBYAONigeMwjHoW1s2Ds/lzYe7umI9ORYxfq6uDCm3hkzfHUg9fC1bzj0rOal5ll1xKOCY8kt+/Zcqi29qr64P3lhV5N0ZMqqcZiMSm+6/QGhmPtftDO3xuG3wzBce6vDJ53Sm4FU9jkEbYJaDn5B2Un5tH2yK3UZQfgPN3MghMpGPT0D0+jVUrmMyj2aDvFbxp/i04PQaUCxQrV5MwOd2C0ZClwoDBv0UUsWRgHo=
Content-Type: text/plain; charset="utf-8"
Content-ID: <2FF490BD51FA054CB7C08617065C18E7@namprd04.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3d30c746-5aeb-4436-b946-08d698e70f97
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2019 16:59:08.4691 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-id: 8b30192e-1388-4ed6-8208-e35dd72ad2ad
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR04MB2216
X-OriginatorOrg: sjrb.ca
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/IVXdjRITEP725U8jT1bBNK2jHCs>
Subject: Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 16:59:17 -0000

On 2019-02-22 9:41 a.m., Michael Richardson wrote:
>    CAUTION: This email is from an external source. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> Michael Richardson quoted:
>      > From https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
> 
>      > "The two people who did get popped, both were traveling and were on their
>      > iPhones, and they had to traverse through captive portals during the hijack
>      > period,” Woodcock said. “They had to switch off our name servers to use the
>      > captive portal, and during that time the mail clients on their phones checked
>      > for new email. Aside from that, DNSSEC saved us from being really, thoroughly
>      > owned.”
> 
> Christian Saunders <Christian.Saunders@sjrb.ca> wrote:
>      > The active element here seems to be the forced use of insecure DNS
>      > servers.
> 
> I disagree.  It's due to forced use of the captive portal's DNS.
> A device will in general have no trust relationship with a captive portal.
> It has no reason to trust the captive portal to do DNS correctly
> (and no way to get privacy for the requests either).
> 
>      > The fact that the insecure DNS configuration was forced in order to navigate
>      > a Captive Portal is incidental, though unfortunate.
> 
> So to me, all captive portal DNS systems are by definition insecure.
> If one needs to do a DNS lookup in order to get traffic and get a
> redirection, then the portal is insecure.  And that's why we need an API that
> involves more than just capture port-80 and redirect.
> 
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
> 
> 
> 
> 
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
> 

Point taken - and I agree with your reasons as well as your solution.

My meaning was only to suggest that there are other reasons/cases where 
a network or application may force a particular set of DNS servers and 
that users in those cases may be exposed to the same attack.

Christian Saunders
Sr. Software Architect, Wireless Core
Shaw Communications Inc.

v2.23.0 | Report a Bug | By Email