> On 25 Aug 2021, at 20:34, Eli the Bearded <*@eli.users.panix.com> wrote: > > In comp.lang.python, Jon Ribbens <jon+use...@unequivocal.eu> wrote: >> Another attempt at combatting this problem is DNS CAA records, >> which are a way of politely asking all CAs in the world except the >> ones you choose "please don't issue a certificate for my domain". >> By definition someone who had hacked a CA would pay no attention >> to that request, of course. > > Yeah, but it works for the case of forgotten hostnames, a rare but > real attack. Basically it works like this: > > $COMPANY puts out a lot of things on different IP addresses from > a shared public(ish) pool like AWS and assigns different names > to them. Later $COMPANY discontinues one or more of those things, > terminates the host, and lets the IP address rejoin the public(ish) > pool. > > $ATTACKER notices the domain name pointing to an unused IP address > and works to acquire it for their own server. $ATTACKER then gets > a cert for that domain, since they can easily prove ownership of > the server through http content challenges. $ATTACKER now has a > host in $COMPANY's name to launch phishing attacks. > > This probably has some clever infosec name that I don't know.
It is possible to sign an ip address in a certificate, but that is not often done. Getting to reuse the IP address that example.com was using will not help the attacker unless they can make a cert that signs the dns name. And that means they hacked the CA which is a big problem. Barry > > Elijah > ------ > or a clever infosec name now forgotten > > -- > https://mail.python.org/mailman/listinfo/python-list > -- https://mail.python.org/mailman/listinfo/python-list
