oss-sec mailing list archives
Re: attacking hsts through ntp
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 17 Oct 2014 16:41:33 -0700
Hi Phil,
That's called "DANE" and it uses TLSA records in DNS. It's slowly bootstrapping into use in SMTP and server-server XMPP as an opportunistic TLS latch, providing the correct trust anchors too. Various feature-request bugs against browsers have eventually gotten closed as will-not-fix or equivalent, because verified DNSSEC is not seen as something which is likely to be widely deployed in clients; there's a chicken/egg problem here. By contrast, servers are more likely to be placed with care and attention to DNS resolution, so someone running an SMTP or XMPP server who wants to use DANE can fix their DNS setup, once. So it's seeing more use there. Postfix has DANE support; Exim has it as an experimental feature (which just means that the API might change); the Prosody XMPP client can be set up to use DANE. (For clarity: the server/receiver side of any connection requires no code changes to support DANE, although having SNI support probably helps; the initiator which verifies the peer is the only one which needs changes, but they're currently ugly ones).
Sure, I read up on this a while ago, but wasn't sure if it was catching on. Thanks for the update.
You're ignoring the attack vectors against DNSSEC.
Yes, true, but this is no different than the current situation with TLS. Why bother subverting DNSSEC in order to remove HSTS-like controls, and then downgrade from HTTPS->HTTP in order to get at the traffic, when you can just get at the TLS traffic directly by subverting that PKI? In order to address the nation-state scenario, I think we need the ability to apply multiple signatures to the same server key. If a CA in Israel and a CA in Iran both signed the same key, what are the chances of collusion? One way to achieve multiple signatures would be to leverage DNSSEC and stuff fingerprints in signed DNS records, leveraging two separate PKIs for the same TLS keys. I'd be interested to know if you know of any attempts to do this already. cheers, tim
Current thread:
- Re: attacking hsts through ntp, (continued)
- Re: attacking hsts through ntp Michael Samuel (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 17)
- Re: attacking hsts through ntp Yves-Alexis Perez (Oct 17)
- Re: attacking hsts through ntp Stephen Röttger (Oct 17)
- Re: attacking hsts through ntp Yves-Alexis Perez (Oct 18)
- Re: attacking hsts through ntp Stephen Röttger (Oct 20)
- RE: attacking hsts through ntp Bendler, Ehren (Oct 20)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Michael Samuel (Oct 16)
- Re: attacking hsts through ntp Tim (Oct 17)
- Re: attacking hsts through ntp Phil Pennock (Oct 17)
- Re: attacking hsts through ntp Tim (Oct 17)
- Re: attacking hsts through ntp Hanno Böck (Oct 18)