HackerTrans
TopNewTrendsCommentsPastAskShowJobs

mittalprat

no profile record

comments

mittalprat
·4 ปีที่แล้ว·discuss
Having a CAA record and pointing to a CA like Let's Encrypt that uses domain validation from multiple vantage points on the Internet is a useful idea and raises the bar for an adversary.

I should point out that BGP attacks can also target the CAA records themselves since the DNS ecosystem is itself insecure. This is why such attacks are not easy to defend against, and require holistic improvements across internet routing, PKI, and web security practices.....
mittalprat
·4 ปีที่แล้ว·discuss
Indeed, your comment illustrates the importance of proactively strengthening the domain validation protocol used for issuing digital certificates.

Our work with Let's Encrypt demonstrated the feasibility of validating domains from multiple vantage points on the Internet: https://www.usenix.org/conference/usenixsecurity21/presentat...

We hope and advocate for universal adoption of this approach via the CA/Browser forum (since the internet is only as strong as its weakest link).
mittalprat
·4 ปีที่แล้ว·discuss
Indeed, a number of internet services and applications are vulnerable to BGP hijacking and interception attacks, including TLS/digital certificates, anonymity systems such as Tor, and cryptocurrencies such as Bitcoin.

We discussed this in an earlier blog post on freedom to tinker: https://freedom-to-tinker.com/2018/04/11/routing-attacks-on-....

A more technical description of these attacks is available in our Communications of the ACM article: https://cacm.acm.org/magazines/2021/6/252822-securing-intern...