Watchers of the SSL industry follow SSL protocol attacks such as BEAST, CRIME, Lucky 13 and RC4 closely. They also track the rare certification authority (CA) attacks such as Comodo or DigiNotar. But they don’t seem to spend much time following attacks to the domain name registration system (DNS).
Websites are being attacked everyday through the DNS. Just recently, the Syrian Electronic Army attacked the New York Times and others. This attack could also lead to the mis-issuance of some types of publicly trusted SSL certificates.
The DNS Registrars operate a low-margin business with no third-party oversight. No over-sight results in less emphasis on the design and maintenance of controls.
Registrars are the authorities for assigning domain names to registrants by binding the name to physical resources that are under the registrant’s control. This binding is often relied upon in the issuance of domain-validated (DV) certificates. In some instances of the verification procedure for domain control, email confirmation is relied upon, using the email address listed in the registry.
Domain registrants commonly authenticate to their DNS accounts using only a username and password. So, an attacker can easily compromise a registrant’s DNS account and divert their Web, email and other traffic wherever they wish. In doing so, the attacker is able to provide the confirming response to the domain verification email and thereby request and receive an SSL certificate for the victim’s domain name.
Digital certificates are supposed to offer a level of assurance over and above that offered by the domain name system. For this reason, the browsers give webpages with a certificate a special user interface, indicating higher assurance in the contents of the address bar. But when the certificate issuance process relies solely on the contents of the DNS, that higher assurance is an illusion. This being the case, why is domain verification allowed to depend only on the registry?
The same can be said about DANE, since DNSSec assigns keys to registrants as a byproduct of the DNS binding, hence DNSSec is only as secure as the registrar’s procedures.
Industry experts should consider the security ramifications of validating domain control only using the Registrar data.