In comp.lang.python, Jon Ribbens <jon+use...@unequivocal.eu> wrote: > Another attempt at combatting this problem is DNS CAA records, > which are a way of politely asking all CAs in the world except the > ones you choose "please don't issue a certificate for my domain". > By definition someone who had hacked a CA would pay no attention > to that request, of course.
Yeah, but it works for the case of forgotten hostnames, a rare but real attack. Basically it works like this: $COMPANY puts out a lot of things on different IP addresses from a shared public(ish) pool like AWS and assigns different names to them. Later $COMPANY discontinues one or more of those things, terminates the host, and lets the IP address rejoin the public(ish) pool. $ATTACKER notices the domain name pointing to an unused IP address and works to acquire it for their own server. $ATTACKER then gets a cert for that domain, since they can easily prove ownership of the server through http content challenges. $ATTACKER now has a host in $COMPANY's name to launch phishing attacks. This probably has some clever infosec name that I don't know. Elijah ------ or a clever infosec name now forgotten -- https://mail.python.org/mailman/listinfo/python-list
