« WASC Announcement: Static Analysis Technologies Evaluation Criteria Published | Main

Malicious CA's continue to cause headaches

Google published today that yet another CA has been caught generating certs for Google's domains. This problem is likely occuring on a much larger scale and seems to be detected by chance. Some have suggested crawling the internet and starting a DB, and while this may detect some issues it's limited for the following reasons

  • DNS: The DNS server used to resolve the hostname may play a factor in being redirected to a malicious host. This could be manipulated by malware/spyware/adware, or be an ISP's valid DNS server.
  • ISP: It's possible some ISP's will be hacked, or 'manipulated' to redirect traffic to malicious hosts at the DNS level, routing trickery, or via a transparent proxy.
  • Location: The location of the user will determine the DNS server, local network, and possible ISP level intervention. Abuse could be localized to certain companies as part of an advanced 'APT' style attack. Additionally countries such as China are known to block domains via DNS manipulation, and may be doing other things as well...

Right now there's no comprehensive way for a company to know if there are other certs out there pretending to be them, or a way for users to know which certs are truely valid. While some services do offer DNS & traffic monitoring, it's really only peeking into a small subset of net traffic.

Really what we need (since DNSSec is taking forever to deploy), is some browser functionality to report the DNS Server, ISP, issuer, and hash of the SSL cert to a public DB (or some other useful, privacy coincious combination). Here companies (and the public) could determine if others are generating certs against their domains and initiate takedown efforts. I challenge Google and Mozilla to use their vast talent pool to work out something, and bring to light the invisible abuse that's occuring and use this information to drive discussion on solving this problem.

I haven't posted in awhile, but this is such an important topic and given that I've seen little in the news about it, wanted to continue the discussion.

Google Blog Entry

http://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html

 

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!