On 2021-08-25, Eli the Bearded <*@eli.users.panix.com> wrote: > In comp.lang.python, Jon Ribbens <jon+use...@unequivocal.eu> wrote: >> Another attempt at combatting this problem is DNS CAA records, >> which are a way of politely asking all CAs in the world except the >> ones you choose "please don't issue a certificate for my domain". >> By definition someone who had hacked a CA would pay no attention >> to that request, of course. > > Yeah, but it works for the case of forgotten hostnames, a rare but > real attack. Basically it works like this: > > $COMPANY puts out a lot of things on different IP addresses from > a shared public(ish) pool like AWS and assigns different names > to them. Later $COMPANY discontinues one or more of those things, > terminates the host, and lets the IP address rejoin the public(ish) > pool. > > $ATTACKER notices the domain name pointing to an unused IP address > and works to acquire it for their own server. $ATTACKER then gets > a cert for that domain, since they can easily prove ownership of > the server through http content challenges. $ATTACKER now has a > host in $COMPANY's name to launch phishing attacks.
How does CAA help with this? Unless the domain owner knows in advance that they're going to forget about the hostname and prepares for it by setting a CAA record that denies all CAs, the attacker will simply get a certificate from one of the permitted CAs - since, as you point out, they genuinely own and control the relevant IP address. -- https://mail.python.org/mailman/listinfo/python-list
