I totally agree that this is a feasible attack. It has been seen on a very large scale, Russia did a BGP redirect at a country level in their dispute with Georgia.
DNSSEC on A records alone is practically worthless. There is some value but not a great deal. Most DNS attacks have been persuading registrars to put bad data into the system. On Tue, Sep 13, 2011 at 6:30 PM, Marsh Ray <ma...@extendedsubset.com> wrote: > On 09/13/2011 04:24 PM, davidills...@gmail.com wrote: > >> >> On 13 Sep 2011, at 21:35, Chris Palmer wrote: >> >>> <snip> >>> sites; small sites may have to choose no pinning or potentially >>> bricking their site (up to the maxAge window). This is not worse than >>> the status quo.""" >>> >> >> What about sites which don't currently use https at all? The DNS records >> for theregister.co.uk <http://theregister.co.uk> were redirected the >> >> other week. An attacker who could do that could redirect to https, then >> set a very long max-age pin. At that point, they'd be dependent on the >> browser vendor unpinning affected users, right? >> > > Wouldn't they have to acquire a valid cert first? Not saying that's out of > the realm of possibility, but... > > I think you have a point. The whole premise of this is that there are > circumstances under which some attacker can obtain such a cert. If this > feature translates to a risk of perma-DoS for the (100.0 - epsilon)% of > sites that don't adopt it immediately then it may be more dangerous than > it's worth. > > Consider an adversarial country like, say, Bananastan. They have an ISP or > three, their own CA, and of course, no sense of humor. > > They may one day be subject to some criticisms in the online press which > they perceive as unfair. Or maybe something on a video sharing site is > contrary to their customs and traditions. > > So their local judge orders their local ISP to block the offending media > provider. The ISP does this by advertising more specific BGP routes for the > video site's netblocks(1). > > Being mostly streaming data of little consequence, the video site has not > yet set up HSTS or even has full support for HTTPS (2). > > The ISP also sets the country's DNS resolvers to reply to name requests for > the site with an IP address of a webserver where citizens can receive > educational information(3). > > To be sure they get everybody, they do something I didn't know could be > done with DNS (4). > > In order to save the the misguided users that accidentally used a > subversive https: bookmark, the court orders the local CA to "do what it > takes to make it work"(5). > > And just to be sure the message sticks, they set a long term HSTS pin on > this cert and/or their CA (6). > > Hilarity ensues. > > - Marsh > > > > 1. YouTube - Pakistan - 2008 > http://www.circleid.com/posts/**82258_pakistan_hijacks_** > youtube_closer_look<http://www.circleid.com/posts/82258_pakistan_hijacks_youtube_closer_look> > http://www.ripe.net/internet-**coordination/news/industry-** > developments/youtube-**hijacking-a-ripe-ncc-ris-case-**study<http://www.ripe.net/internet-coordination/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study> > > 2. http://youtube.com/ > > > 3. http://web.archive.org/web/**20060418030141/http://** > chinadigitaltimes.net/2006/01/**image_of_internet_police_** > jingjing_and_chacha_online_**hon.php<http://web.archive.org/web/20060418030141/http://chinadigitaltimes.net/2006/01/image_of_internet_police_jingjing_and_chacha_online_hon.php> > > > 4. China - 2010 > https://lists.dns-oarc.net/**pipermail/dns-operations/2010-** > March/005260.html<https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html> > http://www.zdnet.co.uk/news/**networking/2010/10/11/mystery-** > of-web-traffic-redirect-to-**china-remains-unsolved-**40090476/<http://www.zdnet.co.uk/news/networking/2010/10/11/mystery-of-web-traffic-redirect-to-china-remains-unsolved-40090476/> > > > 5. [...] > > > 6. Why wouldn't this attack work? > > > ______________________________**_________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/**listinfo/websec<https://www.ietf.org/mailman/listinfo/websec> > -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
