[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029

[Jon Callas]

> On May 4, 2025, at 19:42, jrzx <jrzx at protonmail.ch> wrote:
> 
> 
> DNS is inherently vulnerable to governments hijacking domain names, and it is a big problem.  It would seem also inherently vulnerable to man in the middle attacks, but this does not seem to be a problem.  What prevents that from being a problem?<publickey - jrzx at protonmail.ch - 0x4B137C8A.asc>


There are many reasons, in my opinion. They fall into two broad categories, and I'll go into each of them. They are:

* How an MiTM works. (Spoiler: not the way most people think.)
* How DNS (and TLS) works. (Spoiler: not the way most people think.)

So let's start with the first. The way most people think an MiTM works is not the way they really work. Most people think that it is some sort of uber-eavesdropping attack. They even might think of it in a stylized way like the stereotypical FBI wiretapper attaching alligator clips to a phone line and listening in. That's completely the wrong way to view it.

An MiTM is not an eavesdropping attack, it's an *impersonation* attack. Now, mind you, eavesdropping is part of the attack. While eavesdropping might be necessary (more later), it is not sufficient. An MiTM is not the FBI agent, an MiTM is another staple of mid-century modern comedies -- the person holding two phones at a time. Likely you've seen this where some comic figure has two phones, one in each hand, receiver to each ear and is talking into both of them in real time. Alice and Bob each think they're talking to the other, while they are actually each talking to Mallory and Mallory must impersonate Alice to Bob and Bob to Alice without giving the game up. If you're Mallory, the whole jig is up if they so much as know you're there. (The FBI agent also needs to go undetected, but it's easier when you're only listening -- Mallory has to listen and talk.) Mallory has to actively pretend to be both Bob and Alice at the same time. It's not *just* being in-path.

This is closely related to why the usual mitigations against MiTM are mitigations against impersonation. They include reading key fingerprints or safety numbers (or truncated versions, like the Short Authentication String ZRTP and other protocols use), Key Transparency (and relatives like Certificate Transparency), and cryptographic mechanisms like commitments. They're all ways to break an impersonation, because an MiTM is an impersonation attack -- and the hardest impersonation because it's a simultaneous, double impersonation that extends from the syntax of the communications to its semantics. If either Alice or Bob detect something weird, or even vague ("hey, I'm getting a weird echo") they'll drop the connection and try again and at best, Mallory has to do all that work over again. 

I believe that we spend far too much time worrying about MiTMs. The real thing to worry about is an impersonation. Any mitigation to impersonation attacks is a mitigation to MiTM. Obviously, we must consider the attack of a double-impersonation, because fixing a single-impersonation leaves a whole lot of things open (this is the TLS WebPKI issue -- certificates are a mitigation against the web site impersonating to Alice), but the thing we need to prevent is an impersonation. MiTMs are the evilest, nastiest subset of impersonations, don't get me wrong -- I'm not say we don't need consider them. I'm saying we need to go up a level and look at the general set of impersonation mitigations, and the MiTM mitigations tag along for free.

Moreover, there are scores of impersonation attacks that are devastating, and not MiTMs. In a real-world example, there was a phishing operation that used a spoofed retailer. As I remember it, the retailer was Amazon, and let's just call the spoof 4mazon (in my mind, I pronounce it "Formazon"). 

4mazon was an Amazon clone. They went to Amazon, pulled down lots of assets like pictures, page elements, etc. When Alice went to 4mazon, they put up a site that looked exactly like Amazon -- because it was. But it wasn't a true MiTM, it was an impersonation of Amazon. When Alice finally went and bought something, then 4mazon would leap into place and contact Amazon, log in as Alice, and then do something like stick an expensive, easily fenced item into the shopping cart and send it to some other address than Alice's. And then later, Alice gets a refund because it's an obvious error. This is a lot like an MiTM, but it's something else. It's much more like the physical-space case where some scammers created fake Apple Stores in China that were nearly-perfect replicas, and they sold knock off items or stolen or cloned ones. Often the customers had no idea anything was amiss.

Imagine if 4mazon did things where they were fronting Amazon again, but also had a connection to Temu and if you bought something from Amazon that was cheaper from Temu, they bought it for you on Temu and pocketed the difference. Perhaps the S-class version of this is where 4mazon is a collection of drop-ship sites and pocketing the difference in prices.

This isn't precisely an MiTM, it's both simpler from an attacker aspect, and while there are definitely some subsets that are very much like an MiTM, it transcends an MiTM in my opinion and is far cooler than a mere MiTM. 

Okay, let's put this on pause and go on to the next one, the nature of DNS.

As you note, there's a lot of ways to break DNS. In the simplest version of it, Alice flings a UDP packet (unreliable transport, no protection) to a resolver and gets an answer back. As long as there's been DNS, the classic attacks have been there, like DNS cache poisoning. If Mallory can poison the cache, then an MiTM is unnecessary. The legit resolver will just hand Alice the answer Mallory has primed in the cache. Note that this is a lot like the 4mazon phishing site. Mallory is not interposing in the conversation between Alice and resolver, Mallory is shaping the conversation with a few active things in a mostly passive role.

I could go on, but I think I have already given an answer that might not be completely satisfactory, but can't be a lot more satisfactory. I hope you get the gist of it -- the reason we don't see MiTMs is that a true MiTM is really hard to pull off well. It's easier to pull off some sort of off-to-the-side attack that isn't quite an MiTM and is a lot easier to do. Moreover, any mitigation against the easy attack is also a mitigation against the hard attack, so why even do the hard one? Just do the easy one and it either works or it doesn't. Impersonation is hard. Double impersonation is more than twice as hard. So design your attack so you do the fewest number of hard things.

	Jon