Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates

Infrastructure-as-a-Service (IaaS), more generally the "cloud," changed the landscape of system operations on the Internet. Clouds' elasticity allow operators to rapidly allocate and use resources as needed, from virtual machines, to storage, to IP addresses, which is what made clouds popular. We show that the dynamic component paired with developments in trust-based ecosystems (e.g., TLS certificates) creates so far unknown attacks. We demonstrate that it is practical to allocate IP addresses to which stale DNS records point. Considering the ubiquity of domain validation in trust ecosystems, like TLS, an attacker can then obtain a valid and trusted certificate. The attacker can then impersonate the service, exploit residual trust for phishing, or might even distribute malicious code. Even worse, an aggressive attacker could succeed in less than 70 seconds, well below common time-to-live (TTL) for DNS. In turn, she could exploit normal service migrations to obtain a valid certificate, and, worse, she might not be bound by DNS records being (temporarily) stale. We introduce a new authentication method for trust-based domain validation, like IETF's automated certificate management environment (ACME), that mitigates staleness issues without incurring additional certificate requester effort by incorporating the existing trust of a name into the validation process. Based on previously published work [1]. [1] Kevin Borgolte, Tobias Fiebig, Shuang Hao, Christopher Kruegel, Giovanni Vigna. February 2018. Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates. In Proceedings of the 25th Network and Distributed Systems Security Symposium (NDSS '18). Internet Society (ISOC). DOI: 10.14722/ndss.2018.23327. URL: https://doi.org/10.14722/nd

[1]  Arno Fiedler,et al.  Certificate transparency , 2014, Commun. ACM.

[2]  Sandeep Yadav,et al.  Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis , 2012, IEEE/ACM Transactions on Networking.

[3]  Herbert Bos,et al.  Flip Feng Shui: Hammering a Needle in the Software Stack , 2016, USENIX Security Symposium.

[4]  Johan Ihren,et al.  Minimally Covering NSEC Records and DNSSEC On-line Signing , 2006, RFC.

[5]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[6]  Zhuoqing Morley Mao,et al.  Practical defenses against BGP prefix hijacking , 2007, CoNEXT '07.

[7]  Tatu Ylonen,et al.  SSH: secure login connections over the internet , 1996 .

[8]  Anees Shaikh,et al.  On the responsiveness of DNS-based network control , 2004, IMC '04.

[9]  Chris Kanich,et al.  Every Second Counts: Quantifying the Negative Externalities of Cybercrime via Typosquatting , 2015, 2015 IEEE Symposium on Security and Privacy.

[10]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[11]  Daiping Liu,et al.  All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records , 2016, CCS.

[12]  Vyas Sekar,et al.  Shedding Light on the Adoption of Let's Encrypt , 2016, ArXiv.

[13]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[14]  Duane Wessels,et al.  Passive Monitoring of DNS Anomalies , 2007, DIMVA.

[15]  Bruce M. Maggs,et al.  CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[16]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[17]  Wouter Joosen,et al.  Bitsquatting: exploiting bit-flips for fun, or profit? , 2013, WWW '13.

[18]  Bruce M. Maggs,et al.  A Longitudinal, End-to-End View of the DNSSEC Ecosystem , 2017, USENIX Security Symposium.

[19]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[20]  Christian Platzer,et al.  A View to a Kill: WebView Exploitation , 2013, LEET.

[21]  Giovane C. M. Moura,et al.  No domain left behind: is Let's Encrypt democratizing encryption? , 2017, ANRW.

[22]  Anja Feldmann,et al.  SoK: An Analysis of Protocol Design: Avoiding Traps for Implementation and Deployment , 2016, ArXiv.

[23]  Lixia Zhang,et al.  BGPmon: A Real-Time, Scalable, Extensible Monitoring System , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[24]  Yanpei Chen,et al.  What's New About Cloud Computing Security? , 2010 .

[25]  Deepak Kumar,et al.  Security Challenges in an Increasingly Tangled Web , 2017, WWW.

[26]  Vern Paxson,et al.  Issues and etiquette concerning use of shared measurement data , 2007, IMC '07.

[27]  Yi-Min Wang,et al.  Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting , 2006, SRUTI.

[28]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[29]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[30]  Christopher Krügel,et al.  Delta: automatic identification of unknown web-based infection campaigns , 2013, CCS.

[31]  W. Marsden I and J , 2012 .

[32]  Gianluca Stringhini,et al.  Drops for Stuff: An Analysis of Reshipping Mule Scams , 2015, CCS.

[33]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[34]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM '07.

[35]  T. Schmidt,et al.  Towards detecting BGP route hijacking using the RPKI , 2012, CCRV.

[36]  Jörg Schwenk,et al.  On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[37]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[38]  Christopher Krügel,et al.  Meerkat: Detecting Website Defacements through Image-based Object Recognition , 2015, USENIX Security Symposium.

[39]  Phillip M. Hallam-Baker,et al.  DNS Certification Authority Authorization (CAA) Resource Record , 2019, RFC.

[40]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[41]  Chris Kanich,et al.  The Long "Taile" of Typosquatting Domain Names , 2014, USENIX Security Symposium.

[42]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[43]  Paul E. Hoffman,et al.  The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.