CRISP-Researchers point out security gap in the Domain Name System
Vulnerabilities in domain validation allow the issuing of fraudulent web certificates
As part of the CRISP flagship project "Secure Internet Infrastructures", scientists at Fraunhofer SIT have found a way to issue fraudulent website certificates that are used to ensure trustworthiness of Internet domains. The team lead by CRISP-researcher Dr. Haya Shulman, Fraunhofer SIT, has shown that the weakness in the domain validation can be exploited in real life and that the security of Internet infrastructures needs to be improved. To do so the researchers have informed Web CAs (Certificate Authorities) and suggest a new implementation that Web CAs may use to mitigate the attack.
Web certificates are the basis of the SSL/TLS protocol which protects most web sites, such as online mail, online retailing and online banking. If a web site presents a valid certificate, the user’s browser will signal to the user that the web site’s identity is verified and can be trusted, e.g. by showing a green padlock. The research team showed that this trust is actually ill-founded and users can easily be tricked into sending their secret passwords and data to fraudulent phishing web sites.
Certificates are issued by so-called Web CAs, and virtually all popular Web CAs are using a method called Domain Validation (DV) to verify a web site’s identity before issuing a certificate to that web site. The research-team demonstrated that Domain Validation is fundamentally flawed, and consequently they could trick many Web CAs into issuing fraudulent certificates. A cybercriminal could use this attack to obtain a fraudulent certificate, e.g. for a popular online retailer, set up a web site that perfectly mimics that online retailer’s store, and phish usernames and passwords.
The research-team led by Dr. Haya Shulman exploited a number of well known vulnerabilities in the Domain Name System (DNS), which is the Internet’s yellow pages mapping domain names to Internet addresses. Cybersecurity researchers were well aware of these vulnerabilities in the DNS and their potential impact on Domain Validation, but so far this was considered a rather theoretical risk and something only very powerful, e.g., nation state-level attackers could exploit. The team demonstrated for the first time that this risk is actually very real. “While the details of our attack are technically quite sophisticated, executing the attack does not require any specific compute power or any capability to intercept Internet traffic. Nothing more is needed than a laptop and an Internet connection.” says Dr. Haya Shulman..
The team informed German security authorities and Web CAs. As a mitigation the researchers developed an improved version of DV, called DV++, which could replace DV without any further modifications. A research paper describing the details of this attack as well as DV++ will be presented at the ACM Conference on Computer and Communications Security (ACM CCS) in Toronto, Canada, in October 2018.show all news