Hi all, During the last couple of months, several papers and posts on attacking current domain validation techniques and practices were published. While some could be mitigated by DNSSEC and CAA validation, there are also several operational techniques that could be implemented to increase CA's security posture (https-validation for pre-issued certificates [0], multi-vantage-point validation [1], etc.). IIRC, Let's Encrypt is already experimenting with multi-vantage-point validation.
Back when we submitted Cloud Strife [0] to NDSS, we reached out to the list on pushing our mitigations toward a recommendation/best practices RFC. Given that with the Birge-Lee paper, there is now a second attack vector, we (Kevin Borgolte and I, but we are open to more collaborators and already talked with Prateek Mittal from the BGP MitM paper [1]) would like to author a RFC on mitigating IP-use-after-free/IP-misuse attacks. This RFC would summarize the operational recommendations as well as how various other measures can (and cannot, CAA for example has to be configured correctly to be helpful) mitigate these attacks. However, before we dive into writing, we would like to get your feedback, hear your opinions and concerns, discuss on the list and in person (Kevin and I are in Montreal this week), and feel out whether you think that this is useful to the community to pursue. We are looking forward to your feedback and interesting discussions. Best, Tobias [0] Borgolte, Kevin, et al. "Cloud Strife: Mitigating the Security Risks of Domain-validated Certificates." Proceedings of Internet Society Symposium on Network and Distributed System Security (NDSS). 2018. [1] Birge-Lee, Henry, et al. "Bamboozling Certificate Authorities with BGP." 27th USENIX Security Symposium (USENIX Security 18). USENIX Association. Met vriendelijke groet, Dr.-Ing. Tobias Fiebig, Assistant Professor / Universitair Docent Department Engineering Systems and Services Informatie- en Communicatie Technologie (ICT) TU Delft / Dept. ESS Faculty of Technology, Policy and Management (TBM) Building 31 Jaffalaan 5 - room B3.170 2628 BX Delft P.O.Box 5015 2600 GA Delft, The Netherlands T +31 (0)15 27 85700 E [email protected] Present: Monday t/m Friday _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
