Research Paper Tobias Fiebig about security risks of Domain-Validated Certificates
Assistant professor Tobias Fiebig from the ESS department recently published a research paper in which a new procedural way to reduce the risks of Domain-Validated Certificates is presented. The paper called ‘Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates’ was co-written with scientists from amongst others University of California.
People tend to set DNS names for servers they have in the cloud. For example, they set a DNS record for vpn.mycompany.com. However, when they later release the server, after they do not need it anymore, they do not delete the DNS entry. The DNS entry becomes “stale”. In the paper the researchers demonstrate that it is relatively easy to get the IP address for a stale DNS entry. You can then use Let’s Encrypt to get a certificate for that domain. If now users that used vpn.mycompany.com go to vpn.mycompany.com, they are presented with a seemingly legitimate website that relatively easy to coheres them to e.g., download malicious software concealed as “a new version of your VPN client”. As this risks is mostly caused by human factors/procedural issues, the researchers propose a procedural way to mitigate this risk.