[Cryptography] Against against DNS (Re: New SSL/TLS certs to each live no longer than 47) days by 2029

[John Levine]

It appears that Jon Callas <jon at callas.org> said:
>
>> On May 4, 2025, at 19:42, jrzx <jrzx at protonmail.ch> wrote:
>> 
>> 
>> DNS is inherently vulnerable to governments hijacking domain names, and it is a big problem.  It would seem also
>inherently vulnerable to man in the middle attacks, but this does not seem to be a problem.  What prevents that from
>being a problem?<publickey - jrzx at protonmail.ch - 0x4B137C8A.asc>
>
>There are many reasons, in my opinion. They fall into two broad categories, and I'll go into each of them. They are:
>
>* How an MiTM works. (Spoiler: not the way most people think.)
>* How DNS (and TLS) works. (Spoiler: not the way most people think.)

I agree with everything you've said but I'd add another 1 1/2 points.

One is that DNS MITM is extremely common. Most public DNS caches and many
private ones block or redirect requests to bad sites for versions of "bad"
ranging from malware to CSAM to pirated movies.  It's generally considered a
feature, or in some cases required by local law.

There's also malware that does DNS MITM, like this trendy Chinese one that uses
IPv6 SLAAC to get Windows machines to use its DNS cache which returns fake IPv4
addresses of software update servers which then install backdoored updates of
popular software like Tencent and Baidu on victim machines:

https://passionategeekz.com/hackers-use-ipv6-slaac-to-hijack-software-updates-with-spellbinder-malware/

>Moreover, there are scores of impersonation attacks that are devastating, and not MiTMs. In a real-world example, there
>was a phishing operation that used a spoofed retailer. As I remember it, the retailer was Amazon, and let's just call
>the spoof 4mazon (in my mind, I pronounce it "Formazon"). 

The current version of that is the unpaid toll or undelivered package RCS or
iMessage, which directs you to a cloned version of a toll agency or post office
web site which steals your credit card info. Gary Warner at the U of Alabama
Birmingham has done some great research and found a Chinese ecosystem of text
message phishers with spiffy point and click services to make a malicious clone
of whatever web site you want to impersonate. They all use lookalike domains, no
DNS magic meeded.

R's,
John

PS: Quite a long time ago Rodney Joffe told me that he was in Egypt and for some reason
tried to look at the Red Cross web site and kept getting the Red Crescent instead.  He
did a packet trace and found that he was getting back fake DNS results, I think by the
network routing the port 53 traffic to its own server.  This is not new.