Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates

Conference paper (2018)

Authors

Kevin Borgolte University of California

T. Fiebig

Shuang Hao University of Texas at Dallas

Christopher Kruegel University of California

Giovanni Vigna University of California

DOI: https://doi.org/10.14722/ndss.2018.23327

To reference this document use:

http://resolver.tudelft.nl/uuid:d672ebcc-cb08-4162-9da4-9cabedc075bd

More Info

expand_more

Published Date

2018

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

Infrastructure-as-a-Service (IaaS), and more generallythe “cloud,” like Amazon Web Services (AWS) or MicrosoftAzure, have changed the landscape of system operations on theInternet. Their elasticity allows operators to rapidly allocate anduse resources as needed, from virtual machines, to storage, tobandwidth, and even to IP addresses, which is what made thempopular and spurred innovation.In this paper, we show that the dynamic component pairedwith recent developments in trust-based ecosystems (e.g., SSLcertificates) creates so far unknown attack vectors. Specifically, wediscover a substantial number of stale DNS records that point toavailable IP addresses in clouds, yet, are still actively attempted tobe accessed. Often, these records belong to discontinued servicesthat were previously hosted in the cloud. We demonstrate that itis practical, and time and cost efficient for attackers to allocateIP addresses to which stale DNS records point. Consideringthe ubiquity of domain validation in trust ecosystems, like SSLcertificates, an attacker can impersonate the service using avalid certificate trusted by all major operating systems andbrowsers. The attacker can then also exploit residual trust inthe domain name for phishing, receiving and sending emails, orpossibly distribute code to clients that load remote code from thedomain (e.g., loading of native code by mobile apps, or JavaScriptlibraries by websites).Even worse, an aggressive attacker could execute the attackin less than 70 seconds, well below common time-to-live (TTL) forDNS records. In turn, it means an attacker could exploit normalservice migrations in the cloud to obtain a valid SSL certificatefor domains owned and managed by others, and, worse, that shemight not actually be bound by DNS records being (temporarily)stale, but that she can exploit caching instead.We introduce a new authentication method for trust-based domainvalidation that mitigates staleness issues without incurringadditional certificate requester effort by incorporating existingtrust of a name into the validation process. Furthermore, weprovide recommendations for domain name owners and cloudoperators to reduce their and their clients’ exposure to DNSstaleness issues and the resulting domain takeover attacks.

Files

Ndss2018_06A_4_Borgolte_paper.... (.pdf)

(.pdf | 0.52 Mb)