Re: [dane] domain hijacking

Alice Wonder <alice@domblogger.net> Wed, 12 April 2017 19:38 UTC

Return-Path: <alice@domblogger.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E160127843 for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 12:38:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.602
X-Spam-Level:
X-Spam-Status: No, score=-0.602 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=domblogger.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PiOPclmxY70Y for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 12:38:34 -0700 (PDT)
Received: from mail.domblogger.net (mail.domblogger.net [IPv6:2600:3c00::f03c:91ff:fe56:d6a2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80D291294EC for <dane@ietf.org>; Wed, 12 Apr 2017 12:38:34 -0700 (PDT)
Received: from localhost.localdomain (68-189-44-253.dhcp.rdng.ca.charter.com [68.189.44.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPSA id CB8A0495 for <dane@ietf.org>; Wed, 12 Apr 2017 19:38:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domblogger.net; s=default; t=1492025913; bh=l3E0iL4Dk4a2XeBpVafDjjRyeV9+z5A30AoN+i9Emss=; h=Subject:To:References:From:Date:In-Reply-To; b=2wAUIrh+KWmJJjtDP49FRS6LxAocXCOG9qC9mKfHu2TalGgi54AXmFHxsfWlw0T3p WZqKfp2nKsktaIhLkyviax2VXSqxO4MHgb5MARV/GSIga7M3XRIjnQ2jRFDDwkZ6To 3XX+IkOsqn8xj0m62KNCgur0FaBRBaV+DHAZvwI8=
To: dane@ietf.org
References: <CAAFsWK35neS7t_ZXHiTgSuc4wU4dWzEdAxFCzK+k11drvcOOkA@mail.gmail.com>
From: Alice Wonder <alice@domblogger.net>
Message-ID: <86ef0d97-990a-471a-c9a4-d677ba4da0d0@domblogger.net>
Date: Wed, 12 Apr 2017 12:38:32 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAAFsWK35neS7t_ZXHiTgSuc4wU4dWzEdAxFCzK+k11drvcOOkA@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/f5UCCoIcv9bAcHBdGikgklrqfS8>
Subject: Re: [dane] domain hijacking
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2017 19:38:36 -0000

On 04/12/2017 11:50 AM, Wei Chuang wrote:
> Hi dane folks,
>
> There recently was an article in Wired about how a banking site was
> domain hijacked:
> https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/
> via a DNS registry account hijacking.  I was wondering if DNSSEC can
> protect against such hijackings (and thereby protect DANE records).  My
> suspicion is no, DNSSEC can't protect against an attack at the registry
> level since a hijacker could publish a new set of consistent records for
> the zone including at the parent.  If my suspicion is correct, has there
> been thought of re-signing the DS record signed with the older private
> key in a way that proves ownership through the key change?  This gets
> published at the parent so its visible even if the entire zone gets
> spoofed.  This, put another way, would prove publicly continuity of
> ownership for the domain.
>
> thanks,
> -Wei

I had thought of this sort of scenario as well.

You can script to watch your DS records and alert you if they ever are 
not suppose to be, but I hope there is a future where certificate 
authorities are replaced by trust anchors independent of the root DNS 
that can behave as a DS record 2FA.

e.g. to create new KSK that DNSSEC would validate, the attacker would 
not only have to fool the registry into uploading new DS records but 
also fool the secondary trust anchor that duplicates the DS records.

Unfortunately that also opens up DoS attack if an attacker is not able 
to change the actual DS records but is able to fool the secondary 
validator of the DS records.

That's DNSSEC issue though, not DANE.

Even if banks use DANE (and I wish they would) they also should have EV 
certificates to currently defend against that type thing.