‘Domain validation of certain CAs is fooled via DNS attack’

Researchers at Germany’s Fraunhofer SIT Institute claim that the domain validation of certain major certificate authorities is vulnerable to cache poisoning of the DNS cache, allowing an attacker to obtain a certificate for another’s domain.

The researchers detailed their findings in a paper they shared with The Register and Heise. Because several authorities would still be vulnerable, they have not made the names of the organizations public. The sites write that with this method an attacker is able to obtain a digital certificate for a domain from another party. It is then possible, for example, to create a malicious fake site, which appears to have the correct certificate for visitors.

The attack uses cache poisoning based on ipv4 fragmentation, Heise said. That is not a new technique. It would therefore not be necessary to actively intercept network packets. The Register quotes from the study: “The attack starts with a DNS request. For the attack to succeed, the attacker must prepare a proper DNS response before the actual response from the real DNS server arrives.” By ‘breaking’ the dns packets into two parts, the attacker can have fake ip addresses included in the dns cache.

Domain validation is a way in which certificate authorities verify that a party actually owns a domain. This is usually done automatically. For example, part of the process can be the creation of a txt record. There are also other methods that are more demanding, such as extended validation. The researchers have proposed their own variant of domain validation called DV++, which should be resistant to their attack. They want to present them at the upcoming ACM conference in Canada. DNSsec would also be an effective defense.