Ensuring Secure Internet Connections: Understanding Domain Verification

Slide Note
Embed
Share

This content delves into the importance of verifying domain authenticity to safeguard against potential online scams and phishing attempts. It explores how organizations like the Commonwealth Bank of Australia use domain name certification processes, encryption techniques, and trusted third parties to establish secure connections and protect users from malicious activities on the internet.

zazo652
zazo652 Follow

Uploaded on Oct 04, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Why Dane? Geoff Huston Chief Scientist, APNIC

  2. Security on the Internet How do you know that you are going to where you thought you were going to?

  3. Security on the Internet How do you know that you are going to where you thought you were going to? My Bank s web site Or at least I think its my bank because it looks a bit familiar and there is a green icon of a lock So it HAS to be my bank hasn t it?

  4. Connection Steps Client: DNS Query: www.commbank.com.au? DNS Response: 104.97.235.12 TCP Session: TCP Connect 104.97.235.12, port 443

  5. Hang on $ dig -x 104.97.235.12 +short a104-97-235-12.deploy.static.akamaitechnologies.com. That s not an IP addresses that was allocated to the Commonwealth Bank! The Commonwealth Bank of Australia has 140.168.0.0 - 140.168.255.255 and 203.17.185.0 - 203.17.185.255 So why should my browser trust that 104.97.235.12 is really the proper web site for the Commonwealth Bank of Australia and not some dastardly evil scam? How can my browser tell the difference between an intended truth and a lie?

  6. TLS Connections https://rhsecurity.wordpress.com/tag/tls/

  7. TLS Connections https://rhsecurity.wordpress.com/tag/tls/

  8. Domain Name Certification The Commonwealth Bank of Australia has generated a key pair And they passed a Certificate Signing Request to a company called Symantec (together with money) Symantec is willing to vouch (in a certificate) that the entity who goes by the domain name of www.commbank.com.au also has a certain public key value (partly because it got paid to do this!) So if I can associate this public key with a connection then I have a high degree of confidence that I ve connected to the real www.commbank.com.au, as long as I am also prepared to trust Symantec, and their certificate issuance processes, and that the certificates that they issue are always genuine

  9. Domain Name Certification The Commonwealth Bank of Australia has generated a key pair And they passed a Certificate Signing Request to a company called Symantec (together with money) Symantec is willing to vouch (in a certificate) that the entity who goes by the domain name of www.commbank.com.au also has a certain public key value (partly because it got paid to do this!) So if I can associate this public key with a connection then I have a high degree of confidence that I ve connected to the real www.commbank.com.au, as long as I am also prepared to trust Symantec, and their certificate issuance processes, and that the certificates that they issue are always genuine

  10. Local Trust The cert I m being asked to trust was issued by a certification authority that my browser already trusts so I trust that cert!

  11. Local Trust or Local Credulity*? That s a big list of people to Trust Are they all trustable? *

  12. Local Credulity That s a big list of people to Trust Are they all trustable?

  13. Local Credulity That s a big list of people to Trust Are they all trustable?

  14. With unpleasant consequences when it all goes wrong International Herald Tribune Sep 13, 2011 Front Page

  15. Whats going wrong here? The TLS handshake cannot specify WHICH CA should be used to validate the digital certificate That means that your browser may allow ANY CA to be used to validate a certificate

  16. Whats going wrong here? The TLS handshake cannot specify WHICH CA should be used to validate the digital certificate That means that your browser may allow ANY CA to be used to validate a certificate

  17. Whats going wrong here? The TLS handshake cannot specify WHICH CA should be used to validate the digital certificate That means that your browser may allow ANY CA to be used to validate a certificate Here s a lock it might be the lock on your front door for all I know. The lock might LOOK secure, but don t worry literally ANY key can open it!

  18. Whats going wrong here? There is no incentive for quality in the CA marketplace Why pay more for any certificate when the entire CA structure is only as strong as the weakest CA And you browser trusts a LOT of CAs! About 60 100 CA s About 1,500 Subordinate RA s Operated by 650 different organisations See the EFF SSL observatory http://www.eff.org/files/DefconSSLiverse.pdf

  19. In a commercial environment Where CA s compete with each other for market share And quality offers no protection Than what wins in the market? ?

  20. In a commercial environment Where CA s compete with each other for market share And quality offers no protection Than what wins in the market?

  21. Where now? Option A: Take all the money out of the system! www.letsencrypt.org

  22. Where now? Option A: Take all the money out of the system! www.letsencrypt.org

  23. Where now? Option B: White Listing and Pinning with HSTS https://code.google.com/p/chromium/codesear ch#chromium/src/net/http/transport_security_s tate_static.json

  24. Where now? Option B: White Listing and Pinning with HSTS https://code.google.com/p/chromium/codesear ch#chromium/src/net/http/transport_security_s tate_static.json

  25. Where now? Option C: Use the DNS! cafepress.com/nxdomain

  26. Seriously just use the DNS Luke!* Where better to find out the public key associated with a DNS name than to look it up in the DNS? * Ok, that was a cheap shot my apologies to the Star Wars franchise!

  27. Seriously Where better to find out the public key associated with a DNS name than to look it up in the DNS? Why not query the DNS for the HSTS record (pinning record)?

  28. Seriously Where better to find out the public key associated with a DNS name than to look it up in the DNS? Why not query the DNS for the HSTS record? Why not query the DNS for the issuer CA?

  29. Seriously Where better to find out the public key associated with a DNS name than to look it up in the DNS? Why not query the DNS for the HSTS record? Why not query the DNS for the issuer CA? Why not query the DNS for the hash of the domain name cert?

  30. Seriously Where better to find out the public key associated with a DNS name than to look it up in the DNS? Why not query the DNS for the HSTS record? Why not query the DNS for the issuer CA? Why not query the DNS for the hash of the domain name cert? Why not query the DNS for the hash of the domain name subject public key info?

  31. Seriously Where better to find out the public key associated with a DNS name than to look it up in the DNS? Why not query the DNS for the HSTS record? Why not query the DNS for the issuer CA? Why not query the DNS for the hash of the domain name cert? Why not query the DNS for the hash of the domain name subject public key info?

  32. DANE Using the DNS to associated domain name public key certificates with domain name

  33. DANE Using the DNS to associated domain name public key certificates with domain name

  34. DANE

  35. TLS with DANE Client receives server cert in Server Hello Client lookups the DNS for the TLSA Resource Record of the domain name Client validates the presented certificate against the TLSA RR Client performs Client Key exchange

  36. TLS Connections DNS Name TLSA query https://rhsecurity.wordpress.com/tag/tls/

  37. Just one problem The DNS is full of liars and lies! And this can compromise the integrity of public key information embedded in the DNS Unless we fix the DNS we are no better off than before with these TLSA records!

  38. Just one response We need to allow users to validate DNS responses for themselves And for this we need a Secure DNS framework Which we have and its called DNSSEC!

  39. DNSSEC Interlocking Signatures . (root) . Key-Signing Key signs over . Zone-Signing Key signs over DS for .com (Key-Signing Key) .com .com Key-Signing Key signs over .com Zone-Signing Key signs over DS for example .com (Key-Signing Key) .example.com example.com Key-Signing Key signs over example.com Zone-Signing Key signs over www.example.com www.example.com

  40. DNSSEC Interlocking Signatures . (root) . Key-Signing Key signs over . Zone-Signing Key signs over DS for .com (Key-Signing Key) .com .com Key-Signing Key signs over .com Zone-Signing Key signs over DS for example .com (Key-Signing Key) .example.com example.com Key-Signing Key signs over example.com Zone-Signing Key signs over www.example.com www.example.com IN A 192.0.1

  41. DNSSEC Interlocking Signatures Is the KSK for . valid? . (root) Is the ZSK for . valid? . Key-Signing Key signs over . Zone-Signing Key signs over Is this DS equal to the hash of the KSK? Is the signature for this record valid? DS for .com (Key-Signing Key) .com Is the KSK for .com valid? .com Key-Signing Key signs over Is the ZSK for .com valid? .com Zone-Signing Key signs over DS for example .com (Key-Signing Key) Is this DS equal to the hash of the KSK? Is the signature for this record valid? .example.com Is the KSK for example.com valid? example.com Key-Signing Key signs over example.com Zone-Signing Key signs over Is the ZSK for example.com valid? www.example.com Is the signature for this record valid? www.example.com IN A 192.0.1

  42. DNSSEC Interlocking Signatures Is the KSK for . valid? . (root) Is the ZSK for . valid? . Key-Signing Key signs over As long as you have a valid local trust anchor for the root zone then you can validate a signed DNS response by constructing this backward path to the local root trust anchor . Zone-Signing Key signs over Is this DS equal to the hash of the KSK? Is the signature for this record valid? DS for .com (Key-Signing Key) .com Is the KSK for .com valid? .com Key-Signing Key signs over Is the ZSK for .com valid? .com Zone-Signing Key signs over DS for example .com (Key-Signing Key) Is this DS equal to the hash of the KSK? Is the signature for this record valid? .example.com Is the KSK for example.com valid? example.com Key-Signing Key signs over example.com Zone-Signing Key signs over Is the ZSK for example.com valid? www.example.com Is the signature for this record valid? www.example.com IN A 192.0.1

  43. DANE + DNSSEC Query the DNS for the TLSA record of the domain name and ask for the DNSSEC signature to be included in the response Validate the signature to ensure that you have an unbroken signature chain to the root trust point At this point you can accept the TLSA record as the authentic record, and set up a TLS session based on this data

  44. So we need DNSSEC as well as DANE How much DNSSEC Validation is out there?

  45. Do we do DNSSEC Validation? stats.labs.apnic.net/dnssec/XA

  46. Or

  47. Look! No DNS! Server packages server cert, TLSA record and the DNSSEC credential chain in a single bundle Client receives bundle in Server Hello Client performs validation of TLSA Resource Record using the supplied DNSEC signatures plus the local DNS Root Trust Anchor without performing any DNS queries Client validates the presented certificate against the TLSA RR Client performs Client Key exchange

  48. Where now? Browser vendors appear to be dragging the chain on DANE support DANE exists today as plug-ins rather than a core functionality Cynically, one could observe that fast but insecure is the browser vendors current preference!

Related


Gradual Fine-Tuning for Low-Resource Domain Adaptation: Methods and Experiments

Gradual Fine-Tuning for Low-Resource Domain Adaptation: Methods and Experiments

shania
Securing Domain Control with BGP Attacks and Digital Certificates

Securing Domain Control with BGP Attacks and Digital Certificates

kingst
Importance of Timely Verification in Care After Death

Importance of Timely Verification in Care After Death

willow
Understanding Injective and Surjective Functions

Understanding Injective and Surjective Functions

dinah
Program Verification via an Intermediate Verification Language

Program Verification via an Intermediate Verification Language

dee_ana
Challenges in Establishing a Secure Inter-Domain Routing System

Challenges in Establishing a Secure Inter-Domain Routing System

karlish
STM32WB BLE Secure Connections Overview

STM32WB BLE Secure Connections Overview

jeffreys_n
Evolution of Domain Name System (DNS) Since 1983

Evolution of Domain Name System (DNS) Since 1983

tric_985
Understanding the Basics of the Internet

Understanding the Basics of the Internet

louise
Understanding the Internet: A Comprehensive Overview

Understanding the Internet: A Comprehensive Overview

klawitter_b
Overview of Program Verification Tools and Techniques

Overview of Program Verification Tools and Techniques

bowe_635
Understanding Domain Adaptation in Machine Learning

Understanding Domain Adaptation in Machine Learning

demetria
Integrated Verification and Repair in Control Plane

Integrated Verification and Repair in Control Plane

buddy
Formal Verification and Automata Abstraction in Esterel

Formal Verification and Automata Abstraction in Esterel

edelweiss
Comprehensive Solution for EU Digital COVID Certificate Verification

Comprehensive Solution for EU Digital COVID Certificate Verification

mall878
Introduction to UVM: Verification Methodologies Overview

Introduction to UVM: Verification Methodologies Overview

wtav
Country Names in the Domain Name System (DNS)

Country Names in the Domain Name System (DNS)

tup_o
Understanding Domain Names for Authoritative DNS Servers

Understanding Domain Names for Authoritative DNS Servers

asy_mar
Understanding Internet Basics and Web Browsers

Understanding Internet Basics and Web Browsers

riur595
Evolution of Internet Technology in Tourism: A Comprehensive Study

Evolution of Internet Technology in Tourism: A Comprehensive Study

iolanthe
Understanding Secure Electronic Transactions (SET)

Understanding Secure Electronic Transactions (SET)

sobe_r
Software Bugs and Formal Verification in Critical Systems

Software Bugs and Formal Verification in Critical Systems

jama_ico
Implementing VPN for Secure Corporate Communication

Implementing VPN for Secure Corporate Communication

marquard_a
Understanding the Role of CCNSO Study Group on Emoji in the Internet Community

Understanding the Role of CCNSO Study Group on Emoji in the Internet Community

barkersw

More Related Content

Understanding Functions: Definitions and Arrow Diagrams
Understanding Functions: Definitions and Arrow Diagrams
Understanding Operating System Protection Principles
Understanding Operating System Protection Principles
Understanding Cross-Domain Policies in Web Application Security
Understanding Cross-Domain Policies in Web Application Security
Understanding the Domain Name System (DNS) Structure
Understanding the Domain Name System (DNS) Structure
Electors Verification Programme Overview
Electors Verification Programme Overview
Criticisms and Defenses of Verification and Falsification Principles
Criticisms and Defenses of Verification and Falsification Principles
Formal Verification of Cyberphysical Systems and Future Certification Methods
Formal Verification of Cyberphysical Systems and Future Certification Methods
Automated Static Verification of Higher-order Functional Programs
Automated Static Verification of Higher-order Functional Programs
Gradual Program Verification and its Techniques
Gradual Program Verification and its Techniques
Warning Verification and Scoring Guidelines in Weather Forecasting Workshop
Warning Verification and Scoring Guidelines in Weather Forecasting Workshop
Verification Modulo Versions: Towards Usable Verification
Verification Modulo Versions: Towards Usable Verification
SKA1 Low Assembly Integration & Verification Plan
SKA1 Low Assembly Integration & Verification Plan
ICAO Strategic Objective: Economic Development of Air Transport Verification and Validation Overview
ICAO Strategic Objective: Economic Development of Air Transport Verification and Validation Overview
Machine Learning and Artificial Neural Networks for Face Verification: Overview and Applications
Machine Learning and Artificial Neural Networks for Face Verification: Overview and Applications
Enhancing Security for XMSS and SPHINCS+ Using Machine-Checked Methods
Enhancing Security for XMSS and SPHINCS+ Using Machine-Checked Methods
Hierarchical Attention Transfer Network for Cross-domain Sentiment Classification
Hierarchical Attention Transfer Network for Cross-domain Sentiment Classification
Developing MPI Programs with Domain Decomposition
Developing MPI Programs with Domain Decomposition
Wyoming Eminent Domain Laws - Legal Updates and Negotiations
Wyoming Eminent Domain Laws - Legal Updates and Negotiations
Exploring the Classic Blocks World Domain
Exploring the Classic Blocks World Domain
Coping Behavior Variances in Adolescents with Varying Degrees of Internet Addiction
Coping Behavior Variances in Adolescents with Varying Degrees of Internet Addiction
Understanding the Basics of the Internet and World Wide Web
Understanding the Basics of the Internet and World Wide Web
Understanding Internet Connections and Services
Understanding Internet Connections and Services
Internet Society 2024 Action Plan Overview
Internet Society 2024 Action Plan Overview
Internet Overview in the Arab Region by ARISPA
Internet Overview in the Arab Region by ARISPA