Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wed, Apr 25, 2018 at 7:28 AM, Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Ryan! > > The "multiple perspective validations" is an interesting idea. Did you > think about combining it with CAA checking? I could imagine having a new > tag, e.g.

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On 25/04/2018 18:01, Quirin Scheitle wrote: Hi Jakob, As someone who has actually /removed/ DNSSEC from some domains after it caused serious ripling failures, the brokenness of DNSSEC does not come from how often DNSSEC fails to validate valid requests but from how easily DNSSEC can crash a

Re: Regional BGP hijack of Amazon DNS infrastructure

On Wed, Apr 25, 2018 at 1:44 PM, Santhan Raj via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I did see the (ridiculously silly) self-signed certificate that was used, > but the skeptic in me keeps questioning the timeline of this attack and > recent multiple cert

Re: Policy 2.6 Proposal: Require CAs to support problem reports via email

On Fri, Apr 20, 2018 at 12:33 PM, Wayne Thayer wrote: > At this point we have a few choices: > > 1. Do nothing about requiring email as a problem reporting mechanism. > Instead, take on the related issues of disclosure of the reporting > mechanism and receipt confirmation in

Re: Regional BGP hijack of Amazon DNS infrastructure

On Wed, 25 Apr 2018 09:42:43 -0700 (PDT) Santhan Raj via dev-security-policy wrote: > What is interesting to me is the DV certificate that Amazon had > issued for myetherwallet.com (https://crt.sh/?id=108721338) and this > certificate expired on Apr 23rd

Re: Policy 2.6 Proposal: Add prohibition on CA key generation to policy

On Wed, Apr 25, 2018 at 8:01 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 20/04/2018 21:59, Wayne Thayer wrote: > >> On Tue, Apr 17, 2018 at 6:10 AM, Buschart, Rufus via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >> I

Re: Regional BGP hijack of Amazon DNS infrastructure

Also, during the period of the attack, they were using a self-signed certificate. As yet there's no public evidence that they achieved issuance of any certificate. There is some question as to whether they could have. On Wed, Apr 25, 2018 at 12:32 PM, Matthew Hardeman

Re: Policy 2.6 Proposal: Require separate intermediates for different usages (e.g. server auth, S/MIME)

On Tue, Apr 24, 2018 at 9:24 AM, Ryan Sleevi wrote: > I'm not sure I underestand the use case. I'm hoping that they can clarify > more. > > Pedro - can you explain more about why this is important? That is, it would seem valuable as part of the technical constraint > exercise

Re: Regional BGP hijack of Amazon DNS infrastructure

On Wednesday, April 25, 2018 at 1:57:28 AM UTC-7, Ryan Hurst wrote: > On Tuesday, April 24, 2018 at 5:29:05 PM UTC+2, Matthew Hardeman wrote: > > This story is still breaking, but early indications are that: > > > > 1. An attacker at AS10297 (or a customer thereof) announced several more > >

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wed, Apr 25, 2018 at 11:01 AM, Quirin Scheitle via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > This is not about whether or not domains should deploy DNSSEC. > Domains are are their own right to decide whether or not they see DNSSEC > fit for their environment. >

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

Hi Jakob, > As someone who has actually /removed/ DNSSEC from some domains after it > caused serious ripling failures, the brokenness of DNSSEC does not come > from how often DNSSEC fails to validate valid requests but from how > easily DNSSEC can crash a domain, making it too risky to deploy. >

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On 25/04/2018 17:06, Quirin Scheitle wrote: On 25. Apr 2018, at 16:11, Matthew Hardeman via dev-security-policy wrote: With the right combination of DNSSEC validation, CAA records as utilized today, […] Hi all, I have advertised making DNSSEC

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

> On 25. Apr 2018, at 16:11, Matthew Hardeman via dev-security-policy > wrote: > > With the right combination of DNSSEC validation, CAA records as utilized > today, […] Hi all, I have advertised making DNSSEC validation mandatory for CAA before, bot

Re: Policy 2.6 Proposal: Add prohibition on CA key generation to policy

On 20/04/2018 21:59, Wayne Thayer wrote: On Tue, Apr 17, 2018 at 6:10 AM, Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: I believe the wording "insecure electronic channels" leaves a lot of space for interpretation. In corporate PKIs for email

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

> > Multiple perspectives is useful when relying on any insecure third-party > resource; for example DNS or Whois. > > This is different than requiring multiple validations of different types; > an attacker that is able to manipulate the DNS validation at the IP layer > is also likely going to be

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wed, Apr 25, 2018 at 8:47 AM, Paul Wouters via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > BGP hijack at once. In the end, that's a numbers game with a bunch of > race conditions. But hey, it might lead to actual BGP security getting > deployed :) > I'm an

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wed, 25 Apr 2018, Ryan Hurst via dev-security-policy wrote: Multiple perspectives is useful when relying on any insecure third-party resource; for example DNS or Whois. This is different than requiring multiple validations of different types; an attacker that is able to manipulate the DNS

Re: "multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

On Wednesday, April 25, 2018 at 1:28:43 PM UTC+2, Buschart, Rufus wrote: > Hi Ryan! > > The "multiple perspective validations" is an interesting idea. Did you think > about combining it with CAA checking? I could imagine having a new tag, e.g. > "allowedMethods", in which the legitimate owner

"multiple perspective validations" - AW: Regional BGP hijack of Amazon DNS infrastructure

Hi Ryan! The "multiple perspective validations" is an interesting idea. Did you think about combining it with CAA checking? I could imagine having a new tag, e.g. "allowedMethods", in which the legitimate owner of a domain can specify the set of allowed methods to validate his domain. As an

Re: Regional BGP hijack of Amazon DNS infrastructure

On Tuesday, April 24, 2018 at 5:29:05 PM UTC+2, Matthew Hardeman wrote: > This story is still breaking, but early indications are that: > > 1. An attacker at AS10297 (or a customer thereof) announced several more > specific subsets of some Amazon DNS infrastructure prefixes: > >