7

Given the scenario that:

  1. Victim rents VM1 from a cloud provider, and points his/her DNS record to that VM1's IP address
  2. Victim deletes VM1 and switches to a different cloud provider, and creates VM2 there, but forgets to modify the DNS record (before deleting the old VM, but after creating the new VM)
  3. The Victim's DNS record is now pointing to an uncontrolled IP, which could be claimed by Attacker
  4. A few days later, Victim realizes that the DNS record was not modified, and points the record VM2, thus fixing the issue
  5. Victim issues a new certificate for the domain on VM2, using e.g. Let's Encrypt

In the few days between Step 3 and Step 4, Attacker could have taken control over the IP the DNS record was pointed to.

Attacker could have issued a new certificate with e.g. Let's Encrypt, using which, Attacker could have obtained a private key & certificate for the domain, valid for at least 3 months. Attacker could use this obtained (and still valid) certificate in the future to perform MITM attacks between Victim and VM2 since the certificate would be valid, even after Victim modifies the DNS record.

Is it possible for Victim to verify that no malicious certificates were issued in the few days between Step 3 and Step 4?

  • Is searching for new entries in Certificate Transparency logs sufficient? What if an authority doesn't log the new certificate publicly?
  • If it is not possible to verify that no certificate was issued, should Victim stop using that domain (and its subdomains) completely? How long should Victim wait before using the domain name again (to make sure any malicious certificates previously issued expire)?
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
xdavidhu
  • 93
  • 4

1 Answers1

14

TL;DR: Yes, checking for that domain in any public CT Log viewer and finding only certs that you bought will give you pretty high confidence that no malicious certs were issued to that domain.

Yup, I totally agree with you that an attacker could have gotten a VM at that IP and that would have been sufficient to get through the automated domain validation checks and gotten a cert. You talk about the attacker getting a cert from Let's Encrypt, but unless the victim had set up a DNS CAA record for their domain:

CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain.

then the attacker could get a cert from any CA, and some CAs offer certs with lifetimes up to a year.

Solution: *Superhero music blares* Certificate Transparency to the rescue!

The catch with CT is that some browsers enforce it and others don't, there is no global requirement from the CA/Browser Forum that CAs log to CT.

  • Chrome (and I think also Chromium) strongly require CT logging on every web site cert since 30 April 2018 or the browser will throw errors (source).
  • Safari looks like they are starting to require it, though that's news to me and that page is dated Mar 2021 (source).
  • Firefox does not require or check CT logs (source).

That said, I can't imagine that there are any major CAs who do business by only being in the Firefox root store and not Chrome's or Safari's, so it's a pretty safe bet that all majar CAs CT log every cert they produce to Google's standard.

Summary: Yes, checking for that domain in any public CT Log viewer and finding only certs that you bought will give you pretty high confidence that no malicious certs were issued to that domain.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 1
    Checking for that domain *and not finding it in the log* gives you a high confidence no malicious certs were issued - if you check and find an entry, your confidence is in the alternative (pedantic response, good answer, +1) – TCooper May 21 '21 at 22:19
  • @TCooper Pedantic change made. Thanks. – Mike Ounsworth May 21 '21 at 23:19