s tale dns r ecords and ip a ddress r e u se
play

S TALE DNS R ECORDS AND IP A DDRESS R E -U SE c l oudstrife.sec l - PowerPoint PPT Presentation

Nov 14, 2023 •188 likes •329 views

C LOUD S TRIFE Mitigating the Security Risks of Domain-Validated Certificates Kevin Borgolte kevinbo@cs.ucsb.edu Tobias Fiebig t.fiebig@tude l ft.n l Shuang Hao shao@utda ll as.edu Christopher Kruegel chris@cs.ucsb.edu Giovanni Vigna

  1. C LOUD S TRIFE 
 Mitigating the Security Risks of Domain-Validated Certificates Kevin Borgolte kevinbo@cs.ucsb.edu Tobias Fiebig t.fiebig@tude l ft.n l Shuang Hao shao@utda ll as.edu Christopher Kruegel chris@cs.ucsb.edu Giovanni Vigna vigna@cs.ucsb.edu Applied Networking Research Workshop (ANRW 2018) / IETF 102

  3. S TALE DNS R ECORDS AND IP A DDRESS R E -U SE c l oudstrife.sec l ab.cs.ucsb.edu 34.215.255.68 • How to migrate DNS gracefully? • When to release 34.215.255.68 ? TTL? Longer? • What about failure and automatic scaling? Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) � 3

  4. D OMAIN -V ALIDATED C ERTIFICATES • Standard TLS certificate • Trusted by major browsers and operating systems • Credited for the rise in HTTPS adoption • Cheap or free Top SSL Issuers • No identity verification Let’s Encrypt Comodo GeoTrust via https://nettrack.info/ssl_certificate_issuers.html Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) � 4

  5. HTTP-B ASED D OMAIN -V ALIDATION Request certificate Request certificate Request certificate Request certificate 1 1 1 1 Respond with challenge Respond with challenge Respond with challenge 2 2 2 Client Client Client Client Client Host challenge Host challenge 3 3 ACME ACME ACME ACME Verify challenge at http://example.com at http://example.com CA CA CA CA 4 example.com example.com Webserver Webserver If you control the host behind the domain, then you can prove domain ownership successfully. Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) 5 �

  6. I MPACT ? • Trusted TLS certificates (MitM) • Malicious and remote code loading • Subdomain attacks • Email (no MX = A record) • Spam & phishing (residual trust) Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) � 6

  7. S CALE ? • How many active domains point to free IPs? • Looking at cloud IP address (AWS, Azure) • 1.6 million unique IPs, 14 million allocations • 130 million unique domains Time Between Reoccurence (Seconds) log 2weeks 1week • >700,000 domains can be 1day taken over within minutes by attacker 1hour 1min 10sec ap-northeast-1 ap-northeast-2 ap-south-1 ap-southeast-1 ap-southeast-2 ca-central-1 eu-central-1 eu-west-1 eu-west-2 sa-east-1 us-east-1 us-east-2 us-west-1 us-west-2 Availability Zone Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) 7 �

  8. C LOUD S TRIFE • Assume takeovers can and will happen in the future • Major changes to DNS or deployment impractical • Aim to prevent attacks higher up • Focus on TLS services • Leverage existing standards when possible Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) � 8

  9. M ITIGATING T AKEOVER A TTACKS • HTTP • HTTP , simple idea: , simple idea: • HTTPS with trusted certificates domain-validated certificates • HTTPS with trusted certificates • HTTP Strict Transport Security • HTTP Strict Transport Security • HTTP Public Key Pinning • HTTP Public Key Pinning deprecated since Chrome 67 Takeover attacks now require pinned certificate. Reduces takeover attacks to denial of service attacks. Doesn’t work for SMTP etc. though Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) 9 �

  10. M ITIGATING T AKEOVER A TTACKS • HTTP , better idea: • HTTPS with trusted certificates • Prevent certificate issuance for domains (likely) taken over • HTTP Strict Transport Security No trusted certificate = also works for SMTP etc. How do you prevent certificate issuance? Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) � 10

  11. C ERTIFICATE T RANSPARENCY L OGS • Public append-only log for issued certificates • Monitor for suspicious certificates • Real-time(ish) audit trail In itself: • Reactive: attacker’s window of opportunity remains • Must be actively monitored (by domain owners) Can be used for historic lookups Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) � 11

  12. P REVENTIVE HTTP-B ASED D OMAIN -V ALIDATION Check for existing Check for existing Check for existing Check for existing Request certificate Request certificate Request certificate Request certificate Request certificate 1 1 1 1 1 2 2 2 2 certificates certificates certificates certificates Respond with challenge Respond with challenge Respond with challenge 3 3 3 Verify challenge and CT CT CT CT Client Client Client Client Client Client Host challenge Host challenge 4 4 ACME ACME ACME ACME ACME existing certificate Logs Logs Logs Logs at https://example.com at https://example.com CA CA CA CA CA 5 example.com example.com Webserver Webserver 1 2 If an old certificate was found, require it to be current HTTPS certificate. Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) 12 �

  13. C LOUD S TRIFE • Prevents TLS certificates to be issued for takeovers • No certificate = takeover attacks less useful (= DoS) • Drawbacks for users only for disaster recovery • Re-bootstrap chain of trust • ACME validation challenge draft next? Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) � 13

  14. Thank you! Questions? seclab kevinbo@cs.ucsb.edu https://kevin.borgo l te.me twitter: @caovc THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Learning from Label Proportions (LLP) Online ind Onl ine individual r ividual recor ecords ds

Learning from Label Proportions (LLP) Online ind Onl ine individual r ividual recor ecords ds

(Almost) No Label No Cry Giorgio Patrini with R.Nock, P.Rivera, T.Caetano Learning from Label Proportions (LLP) Online ind Onl ine individual r ividual recor ecords ds Per Percent cent unemployment unemployment Input : unlabeled data

239 views • 3 slides
E FFICIENT V ERIFICATION OF R EPLICATED D ATATYPES USING L ATER A PPEARANCE R ECORDS (LAR) Madhavan

E FFICIENT V ERIFICATION OF R EPLICATED D ATATYPES USING L ATER A PPEARANCE R ECORDS (LAR) Madhavan

E FFICIENT V ERIFICATION OF R EPLICATED D ATATYPES USING L ATER A PPEARANCE R ECORDS (LAR) Madhavan Mukund, Gautham Shenoy R, S P Suresh Chennai Mathematical Institute, Chennai, India ATVA 2015, Shanghai, China, 14 October 2015 Distributed

752 views • 45 slides
Ke Keynote A Addre ddress: : Challenge ges a and Opport rtun unities fo for W r Women i

Ke Keynote A Addre ddress: : Challenge ges a and Opport rtun unities fo for W r Women i

Ke Keynote A Addre ddress: : Challenge ges a and Opport rtun unities fo for W r Women i in A Aca cade demia Elizabeth I. Essamuah-Quansah, Ph.D., MBA Director, AU Outreach Global June 7, 2019 Chal allenge nges a and O nd Oppo

520 views • 21 slides
Pre Preventativ entative e Me Measures asures to o Add ddress ress St Student udent Be

Pre Preventativ entative e Me Measures asures to o Add ddress ress St Student udent Be

BOARD PRESENTATION In Inter erventions entions and nd Pre Preventativ entative e Me Measures asures to o Add ddress ress St Student udent Be Beha havior viors Bai aile ley Adm dministr istration ation Octobe ber 2014

514 views • 19 slides
The Telescope Array Low-Energy Extension (TALE) C. Jui For the TA/TALE Collaboration ISVHECRI,

The Telescope Array Low-Energy Extension (TALE) C. Jui For the TA/TALE Collaboration ISVHECRI,

The Telescope Array Low-Energy Extension (TALE) C. Jui For the TA/TALE Collaboration ISVHECRI, FNAL, July 1, 2010 Features in the UHECR spectrum: The minority straight-forward View CMBR photons interact with cosmic ray protons: Pion

520 views • 20 slides
The Environmentalists Tale Damnation, Purgatory and Armageddon The Environmentalists Tale 2

The Environmentalists Tale Damnation, Purgatory and Armageddon The Environmentalists Tale 2

The Environmentalists Tale Damnation, Purgatory and Armageddon The Environmentalists Tale 2 Environmental Eden Managing Ecology Shift in livelihood strategies Barka Alla, North of Kutum, North Darfur 70% 60% 50% 40% Before Currently

341 views • 21 slides
MOST SIGNIFICANT CHANGE Entities in Ch. 411 Government Code who may have access to adult

MOST SIGNIFICANT CHANGE Entities in Ch. 411 Government Code who may have access to adult

J UVENILE R ECORDS IN T EXAS J UVENILE R ECORDS L AWS Effective September 1, 2017 MOST SIGNIFICANT CHANGE Entities in Ch. 411 Government Code who may have access to adult criminal records NO LONGER have access to any juvenile records

815 views • 23 slides
BTS GROUP HOLDINGS PCL Investor Presentation JUNE 2020 IR IR Contact ct Add ddress: BTS

BTS GROUP HOLDINGS PCL Investor Presentation JUNE 2020 IR IR Contact ct Add ddress: BTS

BTS GROUP HOLDINGS PCL Investor Presentation JUNE 2020 IR IR Contact ct Add ddress: BTS Group Holdings PCL IR Department 15 th Floor, TST Tower, 21 Soi Choei Phuang, Viphavadi-Rangsit Rd. Chomphon, Chatuchak, Bangkok, Thailand 10900

898 views • 62 slides
A Tale of two Patients A Tale of two Patients 1) 71 yo with persistent AF since 2018. OSA

A Tale of two Patients A Tale of two Patients 1) 71 yo with persistent AF since 2018. OSA

9/14/2019 Disclosures Should We Ablate Asymptomatic AF? CHRS 2019 I have ablated patients with asymptomatic AF. Edward Paul Gerstenfeld, MD, FHRS @Ed_Gerst Professor of Medicine University of California, San Francisco A Tale of two

452 views • 10 slides
The tale fundamental group, tale homotopy and anabelian geometry Axel Sarlin |

The tale fundamental group, tale homotopy and anabelian geometry Axel Sarlin |

The tale fundamental group, tale homotopy and anabelian geometry Axel Sarlin | axel@sarlin.mobi Lecture notes This is a typed-out and slightly expanded version of my notes that I made whilst preparing the presentation of my thesis [Sar17]

113 views • 7 slides
City of Forest Park A Tale of Two TIFs A Tale of Two TIFs It was the best of times, it was

City of Forest Park A Tale of Two TIFs A Tale of Two TIFs It was the best of times, it was

City of Forest Park A Tale of Two TIFs A Tale of Two TIFs It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness The Best of Times Carillon TIF 123 acres, home to citys

421 views • 16 slides
A Tale of Testing the Untestable A Tale of Testing the Untestable Angie Jones Senior Developer

A Tale of Testing the Untestable A Tale of Testing the Untestable Angie Jones Senior Developer

A Tale of Testing the Untestable A Tale of Testing the Untestable Angie Jones Senior Developer Advocate, Applitools http://angiejones.tech Director, Test Automation University http://testautomationu.com San Francisco, CA, USA @techgirl1908

991 views • 82 slides
STAFFING AT HEALTHEAST THE TALE OF TWO HEALTHEASTS It was the best of times, it was the worst of

STAFFING AT HEALTHEAST THE TALE OF TWO HEALTHEASTS It was the best of times, it was the worst of

STAFFING AT HEALTHEAST THE TALE OF TWO HEALTHEASTS It was the best of times, it was the worst of timesit was the spring of hope, it was the winter of despair ( Tale of Two Cities , Charles Dickens). The presentation and reception of MNA

325 views • 30 slides
NEC Forum Tale of Two Contracts Ir. Ir. PAUL LEE PAUL LEE, , Kai Kai-hung hung Assistant

NEC Forum Tale of Two Contracts Ir. Ir. PAUL LEE PAUL LEE, , Kai Kai-hung hung Assistant

NEC Forum Tale of Two Contracts Ir. Ir. PAUL LEE PAUL LEE, , Kai Kai-hung hung Assistant Managing Director Hsin Chong Construction Company Ltd. P. 1 NEC Forum Tale of Two Contracts Ta Tale of two le of two co contra ntracts

381 views • 11 slides
A Tale of Two Indices: Positive vs. Normative Indexation in the Emerging Markets April 2020 A

A Tale of Two Indices: Positive vs. Normative Indexation in the Emerging Markets April 2020 A

A Tale of Two Indices: Positive vs. Normative Indexation in the Emerging Markets April 2020 A Tale of Two Indices Overview Available at www.seafarerfunds.com/a-tale-of-two-indices Steph Gan examines questions that are fundamental to the

117 views • 11 slides
The 42 Year-Old Tennis Player Heard a Crack: What I Do, Tension Side or Compression Side, and

The 42 Year-Old Tennis Player Heard a Crack: What I Do, Tension Side or Compression Side, and

The 42 Year-Old Tennis Player Heard a Crack: What I Do, Tension Side or Compression Side, and Outcomes Edward A. Perez, M.D. Campbell Clinic/University of Tennessee Memphis, TN A Tale of 4 Hips A Tale of 4 Hips A Tale of 4 Hips A Tale of

641 views • 60 slides
Colorado April 25, 2019 Peg Rogers Manager, Adult Mistreatment Prevention and Response Section

Colorado April 25, 2019 Peg Rogers Manager, Adult Mistreatment Prevention and Response Section

Promising Practices Spotlight: Colorado April 25, 2019 Peg Rogers Manager, Adult Mistreatment Prevention and Response Section Colorado Department of Human Services, Division of Aging & Adult Services 1 Disclaimer The National Adult

283 views • 24 slides
AFTER CCU: Whats Next in Greater Cincinnati? David Sandy Val & Adam Alex Anna

AFTER CCU: Whats Next in Greater Cincinnati? David Sandy Val & Adam Alex Anna

AFTER CCU: Whats Next in Greater Cincinnati? David Sandy Val & Adam Alex Anna Introducing the Finchers Overview of Central Christian College of the Bible Equipping, networking, & resourcing ministry leaders for lifelong

481 views • 16 slides
May 30, 2019 Novice Infection Preventionists Infection Prevention Boot Camp May 3031, 2019

May 30, 2019 Novice Infection Preventionists Infection Prevention Boot Camp May 3031, 2019

Infection Prevention Boot Camp for May 30, 2019 Novice Infection Preventionists Infection Prevention Boot Camp May 3031, 2019 Cheryl Love, RN, BSN, BSHCA, MBA, LHRM, CPHRM Director of Quality and Patient Safety; HIIN Improvement Advisor

413 views • 8 slides
Neuroimaging Inflammation in Clinical Depression and Obsessive Compulsive Disorder Dr. Jeffrey

Neuroimaging Inflammation in Clinical Depression and Obsessive Compulsive Disorder Dr. Jeffrey

Neuroimaging Inflammation in Clinical Depression and Obsessive Compulsive Disorder Dr. Jeffrey Meyer MD PhD FRCP(C) Canada Research Chair in Neurochemistry of Major Depression Head, Neurochemical Imaging Program in Mood Disorders Research

684 views • 64 slides
LIVE STREAMING AT SCALE Jordi Cenzano | Director of engineering mmsys2019

LIVE STREAMING AT SCALE Jordi Cenzano | Director of engineering mmsys2019

LIVE STREAMING AT SCALE Jordi Cenzano | Director of engineering mmsys2019 jcenzano@brightcove.com 2019/06/19 jordicenzano Agenda Simple live streaming Real (complex) live streaming blocks Some challenges Ingest

517 views • 32 slides
UNUM UNified Universal Microprocessor Framework Nirav Dave, Michael Pellauer, & Arvind

UNUM UNified Universal Microprocessor Framework Nirav Dave, Michael Pellauer, & Arvind

UNUM UNified Universal Microprocessor Framework Nirav Dave, Michael Pellauer, & Arvind Massachusetts Institute of Technology Computer Science and Artificial Intelligence Lab E Pluribus Unum Ex Uno Plures Wouldnt it be great if

566 views • 14 slides
A Framework for Rule Processing in Reconfigurable Network Systems Michael Attig and John Lockwood

A Framework for Rule Processing in Reconfigurable Network Systems Michael Attig and John Lockwood

A Framework for Rule Processing in Reconfigurable Network Systems Michael Attig and John Lockwood Washington University in Saint Louis Applied Research Laboratory Department of Computer Science and Engineering May 1, 2005 Rule Processing

154 views • 12 slides
DeepCache: Principled Cache for Mobile Deep Vision Mengwei Xu 1 , Mengze Zhu 1 , Yunxin Liu 2

DeepCache: Principled Cache for Mobile Deep Vision Mengwei Xu 1 , Mengze Zhu 1 , Yunxin Liu 2

DeepCache: Principled Cache for Mobile Deep Vision Mengwei Xu 1 , Mengze Zhu 1 , Yunxin Liu 2 Felix Xiaozhu Lin 3 , Xuanzhe Liu 1 1 Peking University, 2 Microsoft Research, 3 Purdue University Background: Mobile Vision Your mobile device sees

658 views • 35 slides

More recommend