Also, during the period of the attack, they were using a self-signed certificate.
As yet there's no public evidence that they achieved issuance of any certificate. There is some question as to whether they could have. On Wed, Apr 25, 2018 at 12:32 PM, Matthew Hardeman <mharde...@gmail.com> wrote: > I seriously doubt that. > > MyEtherWallet.com is/was hosted on Amazon CloudFront, and I believe the > private keys for those certs stay locked at Amazon. That was likely the > starter cert that MyEtherWallet.com first went with before securing an EV > cert. > > On Wed, Apr 25, 2018 at 11:42 AM, Santhan Raj via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On Wednesday, April 25, 2018 at 1:57:28 AM UTC-7, Ryan Hurst wrote: >> > On Tuesday, April 24, 2018 at 5:29:05 PM UTC+2, Matthew Hardeman wrote: >> > > This story is still breaking, but early indications are that: >> > > >> > > 1. An attacker at AS10297 (or a customer thereof) announced several >> more >> > > specific subsets of some Amazon DNS infrastructure prefixes: >> > > >> > > 205.251.192-.195.0/24 205.251.197.0/24 205.251.199.0/24 >> > > >> > > 2. It appears that AS10297 via peering arrangement with Google got >> > > Google's infrastructure to buy (accept) the hijacked advertisements. >> > > >> > > 3. It has been suggested that at least one of the any cast 8.8.8.8 >> > > resolvers performed resolutions of some zones via the hijacked >> targets. >> > > >> > > It seems prudent for CAs to look into this deeper and scrutinize any >> domain >> > > validations reliant in DNS from any of those ranges this morning. >> > >> > This is an example of why ALL CA's should either already be doing >> multi-perspective domain control validation or be working towards that in >> the very near future. >> > >> > These types of attacks are far from new, we had discussions about them >> back in the early 2000s while at Microsoft and I know we were not the only >> ones. One of the earlier papers I recall discussing this topic was from the >> late 08 timeframe from CMU - https://www.cs.cmu.edu/~dga/pa >> pers/perspectives-usenix2008/ >> > >> > The most recent work on this I am aware of is the Princeton paper from >> last year: http://www.cs.princeton.edu/~jrex/papers/bamboozle18.pdf >> > >> > As the approved validation mechanisms are cleaned up and hopefully >> reduced to a limited few with known security properties the natural next >> step is to require those that utilize these methods to also use multiple >> perspective validations to mitigate this class of risk. >> > >> > Ryan Hurst (personal) >> >> What is interesting to me is the DV certificate that Amazon had issued >> for myetherwallet.com (https://crt.sh/?id=108721338) and this >> certificate expired on Apr 23rd 2018. >> >> Could it be that the attackers were using this cert all along in place of >> a EV cert? >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
