[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029
Shreyas Zare
shreyas at technitium.com
Fri Apr 25 06:44:36 EDT 2025
On 4/25/2025 6:45 AM, Ron Garret wrote:
>> On the other hand, with traffic re-routing, you can get a SSL/TLS cert from LE if you are on-path to the web server that the domain name resolves to [2]. And then use that cert to do MITM on people you lured to use your public hot spot.
> That is a very different scenario than the one I was referring to. In order to get an LE cert you have to mount (at the very least) a BGP attack. That is a lot harder than setting up a public wifi hotspot, and beyond the capabilities of most script kiddies. If script kiddies could mount BGP attacks, the entire world economy would collapse overnight.
The BGP hijack example that I used was to highlight what many would
otherwise think is impossible to pull off. There are several other ways
it can be done without using BGP. If you do a traceroute from your web
server to LE's HTTP challenge end point, all hops that you see are
potential points that can do MITM to get the same cert that you would
from LE with HTTP challenge. It just takes a network admin with access
to one of the routers or someone who has a key logger running on his
system. There are many network admins to target, you just need one to
click on your social engineering link.
The MITM setup is really simple, just get a VM (routing enabled) with
web server + certbot running with a loopback interface configured with
static IP of the target. Now, they just need to insert a route with a
lower metric or a very specific route to the target and sets this VM as
the gateway for a few seconds that the certbot takes to complete the
challenge. Also, you need not have physically access to the router. A
lot of routers support VPN too so you could use a tunnel that connects
to the VM directly.
Its sure tough for script kiddies but its still feasible for someone
motivated enough.
> The problem with DANE is that no mainstream browsers support it. Fixing that is probably as challenging as fixing BGP.
Its just that browsers are unwilling to implement it. It would hardly
take them a few weeks to roll it out it they want to.
Regards,
*Shreyas Zare*
Technitium <https://technitium.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250425/d70b39da/attachment.htm>
More information about the cryptography
mailing list