Is this threat in SSL for real?

Question

I was talking with a friend about how SSL can be Man-in-the-Middled with relative ease. He claimed this:

• Anyone can compromise the DNS request authority chain (true).
• Anyone can generate a custom priv/pub key (true).
• Anyone can request (purchase) a certificate on behalf on any domain name (true?)

With this in mind, I could:

• Compromise a network (country-wide, say - Assume I am a government)
• intercept DNS requests with a custom DNS (country-wide, again) server
• issue a certificate for any domain (e.g. a wildcard for *.google.com, and spend more money for wildcards in every ccTLD in that domain)
• accept HTTPS requests, which resolve (via my compromised DNS) to my custom proxy with the intention of proxy-pass the http requests to the TRUE google server, but having a valid certificate (since it was actually issues legally, it has its valid chain), so no web browser would complain regarding an invalid certificate.

I had no words to reply back, and started to doubt, just by thinking that certificate authorities check you are the owner of the domain you want to issue a certificate to.

Is there any way to MitM like my friend said? Or what am I missing?

Answer 1

Anyone can compromise the DNS request authority chain (true).

Not true on a global scale but true inside a network you kind of control. This might be a network with weak security (i.e. typical free hotspots). Or it might be a network where you own the router or similar. There are countries where this kind of control is done on a state wide scale.

Anyone can generate a custom priv/pub key (true).

Yes, this is trivial.

Anyone can request (purchase) a certificate on behalf on any domain name (true?)

Not really true. In theory you cannot do this. In practice you might be able to do this by hacking a CA or by exploiting bugs in the CA. Such things already happened too often.

In theory there could be a log file where the CA log all the certificates they issue so that anybody could check. In practice this certificate transparency log exists mostly for the EV certificates only, i.e. the expensive ones with the green bar. And I doubt that someone will (quickly) notice if some small unknown domain gets compromised.

Is there any way to MitM like my friend said? Or what am I missing?

Lots of important domains are protected by certificate transparency (EV certificates) and/or by public key (pre-)pinning (HPKP). For smaller domains the situation is worse.

And depending on the environment where you work and live SSL interception might even be done on a more global scale. It is very common for work environments to monitor traffic for security reasons (malware can be delivered with https too!) and such monitoring can be done also at a state wide scale if the government has a tight control. Users need to install a proxy CA to make this monitoring possible but in companies this can usually be done automatically and state wide you either use the government sponsored browser or have to install this proxy CA yourself, because you want be able to access the sites without.

In summary: MITM is possible and is done in practice. But while there are criminal MITM attacks most MITM is the (more or less) legal for of SSL interception "for your own good" (they say). And for the legal interception they don't need these attacks.

Answer 2

Anyone can request (purchase) a certificate on behalf on any domain name (true?)

They can request it but to actually get it they need to convince the CA that they are the legitimate owners of the domain. Either that or convince the CA that if they don't issue it jackbooted thugs will be paying a visit.

Unfortunately convinving the CA that they are the legitimate owners of the domain basically only requires intercepting an email. Someone with nation-state level resources available (heck, someone who is a network admin at a major transit provider) is very likely to have means available for doing that.

And there are a scary number of CAs in the world. So a lot of countries can just use the jackbooted thugs route.

Answer 3

TL;DR A few years back, maybe. Today more difficult.

First of all DNS is well protected by DNSSEC, all the root DNS servers are DNSSEC capable and many government owned installations as well (as they should). A DNS server responding to a request without the proper RRSIG's will not be accepted. But lets ignore this for now.

When you request a SSL certificate, you must somehow prove you're the owner. For default positive SSL certificates an email to the registered address is sufficient. Extended Validation (EV) certificates require a thorough organization check. The organization is often contacted personally, and must show official documents such as chamber of commerce papers eg. EV certificates must be installed on anything protecting more than just public information. Official organizations are supposed to use EV certificates. In addition to that, governments (US, UK, NL) have their own intermediate or root certificate and never require permission from a third party (which brings on its own problems).

Till a few years back, there was no public register to see if an certificate was actually issued. This led to backdoor sales. Without any way of checking the CA signed certificates, you can only notice when things are off, if its too late.

Since then there has been made progress to create an open and transparent certificate database, which is already implemented in Google Chrome (Google was a major supporter). The trans working group is currently busy creating a standardized protocol, which I suppose will be done in the next few months.

See also

• Chrome warning when public key is not found in audit.