Skip to main content
banner image
venafi logo

Can Attackers Circumvent Domain Validation to Spoof Your Website?

Can Attackers Circumvent Domain Validation to Spoof Your Website?

domain validation attack
September 9, 2018 | Scott Carter

Until this week, the spoofing websites used in phishing attacks usually had a tell. Whether they used a numeral instead of a character, a similar-but-not-identical spelling or a character from another alphabet, there was always something that would give them away. Even if it was visible only to machines and not the naked eye, there was a small difference that would distinguish a spoofed website from the genuine article.

But now, attackers may have access to new techniques that would cloud those distinctions. German researchers have discovered a way to circumvent domain validation to gain access to fraudulent certificates for legitimate websites. The attack uses DNS poisoning to trick certificate authorities (CAs) into issuing fraudulent certificates and has apparently been “validated” at more than one (un-named) CA.

The details of the vulnerability are a bit cat and mouse right now. The reason that we know about it at all is that the The Register has apparently seen an early copy of a report by German researchers. While the researchers plan to present the results in October at the ACM Conference on Computer and Communications Security in Toronto, the report itself is still not public.

But the implications of this vulnerability could be quite serious. This type of attack would make it significantly easier for hackers to set up legitimate-seeming spoofed sites. And those websites would look real because they would actually be using a certificate tied to the domain they were spoofing.

Here’s where it gets tricky. Inherently, there is nothing wrong with cyber criminals encrypting their own sites. They simply request legitimate certificates to secure sites that they legitimately own. On the other hand, the way they use those sites is often anything but legitimate. But if attackers can trick CAs into issuing fraudulent certificates for legitimate domains, then that’s a game changer.

Justin Hansen, security architect at Venafi warns that, “The impact of this attack can be quite serious. If an attacker can successfully poison DNS for any domains owned by a targeted organization, they will be able to get a certificate for that organization, and everyone on the internet will trust it. The attacker can then do a whole range of malicious things with that domain.”

The SSL Store blog provides an excellent summary of how such an attack could play out:

“The attack is initiated by a DNS request. The attacker must then craft a correct DNS response before the actual response from the real name-server gets there. The technique actually ensures that the DNS domain validation checks the CA is attempting are performed, but using the attacker’s DNS server instead of the one associated with the targeted domain.”

According to the unpublished report: “The attack depends on getting said DNS responses broken into fragments, and then injecting malicious fragments to fool the CA into handing over the cert to the attacker. The first fragments of the response contain valid DNS challenge-response fields. The inserted fragments can be whatever the miscreant needs to complete the transaction so that he or she gets the cert.”

What can the industry do to prevent exposure to misuse of domain validation? Researchers suggest a new domain validation protocol to address the problem. Dubbed DV++, the new protocol would use a distributed model (much like the one used in blockchain) to send requests to multiple certification agents.

“To pass a DV++ validation, domain owners must prove their ownership to a majority of the agents in a fully automated manner by responding to queries sent by the agents for the resource records in the domain.”

Until we know more about this vulnerability and how to prevent its exploit, it’s important that organizations maintain overall visibility of all the certificates that are being used for every domain and subdomain they own. A certificate reputation service would also help them know if any are being used for nefarious purposes.

Do you have a complete inventory of all the certificates in your organization? 

Related posts

Like this blog? We think you will love this.
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more