Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates

Kevin Borgolte, Tobias Fiebig, Shuang Hao, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

755 Downloads (Pure)

Abstract

Infrastructure-as-a-Service (IaaS), and more generallythe “cloud,” like Amazon Web Services (AWS) or MicrosoftAzure, have changed the landscape of system operations on theInternet. Their elasticity allows operators to rapidly allocate anduse resources as needed, from virtual machines, to storage, tobandwidth, and even to IP addresses, which is what made thempopular and spurred innovation.In this paper, we show that the dynamic component pairedwith recent developments in trust-based ecosystems (e.g., SSLcertificates) creates so far unknown attack vectors. Specifically, wediscover a substantial number of stale DNS records that point toavailable IP addresses in clouds, yet, are still actively attempted tobe accessed. Often, these records belong to discontinued servicesthat were previously hosted in the cloud. We demonstrate that itis practical, and time and cost efficient for attackers to allocateIP addresses to which stale DNS records point. Consideringthe ubiquity of domain validation in trust ecosystems, like SSLcertificates, an attacker can impersonate the service using avalid certificate trusted by all major operating systems andbrowsers. The attacker can then also exploit residual trust inthe domain name for phishing, receiving and sending emails, orpossibly distribute code to clients that load remote code from thedomain (e.g., loading of native code by mobile apps, or JavaScriptlibraries by websites).Even worse, an aggressive attacker could execute the attackin less than 70 seconds, well below common time-to-live (TTL) forDNS records. In turn, it means an attacker could exploit normalservice migrations in the cloud to obtain a valid SSL certificatefor domains owned and managed by others, and, worse, that shemight not actually be bound by DNS records being (temporarily)stale, but that she can exploit caching instead.We introduce a new authentication method for trust-based domainvalidation that mitigates staleness issues without incurringadditional certificate requester effort by incorporating existingtrust of a name into the validation process. Furthermore, weprovide recommendations for domain name owners and cloudoperators to reduce their and their clients’ exposure to DNSstaleness issues and the resulting domain takeover attacks.
Original languageEnglish
Title of host publicationproceedings of Network and Distributed System Security Symposium (NDSS)
Pages1-15
Number of pages15
DOIs
Publication statusPublished - 2018
EventNetwork and Distributed System Security Symposium - San Diego, United States
Duration: 18 Feb 201821 Feb 2018

Conference

ConferenceNetwork and Distributed System Security Symposium
Abbreviated titleNDSS 2018
Country/TerritoryUnited States
CitySan Diego
Period18/02/1821/02/18

Fingerprint

Dive into the research topics of 'Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates'. Together they form a unique fingerprint.

Cite this