[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security

To: "[email protected]" <[email protected]>
Subject: Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
From: Christian Saunders <[email protected]>
Date: Fri, 22 Feb 2019 16:59:08 +0000
Accept-language: en-GB, en-US
Archived-at: <https://mailarchive.ietf.org/arch/msg/captive-portals/IVXdjRITEP725U8jT1bBNK2jHCs>
Authentication-results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sjrb.onmicrosoft.com
Authentication-results: spf=none (sender IP is ) smtp.mailfrom=[email protected];
Delivered-to: [email protected]
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SJRB.onmicrosoft.com; s=selector1-sjrb-ca; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=toU2lDPhDJGKo5yqrQLlf6UWnE/ishueQ4vwKeL9ITk=; b=Bi4gfnyKfrFY6jv7HJrB7mgOD/xqcI1veSccqwYg9Ho/MIW+/xxp6SFwtW2yG/om20mehOBqXdy+5bjiZjD9aQQ73h3VMLjRdaxqF7dM+OXwQdYo9pmBmKajNRrqPdMxezIxQ/uBk/2LWChuZMTTbsQHpCvddEi6o6Eg8HEveE4=
In-reply-to: <28703.1550853681@localhost>
List-archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-help: <mailto:[email protected]?subject=help>
List-id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-post: <mailto:[email protected]>
List-subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:[email protected]?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:[email protected]?subject=unsubscribe>
References: <11662.1550772024@localhost> <[email protected]> <28703.1550853681@localhost>
Thread-index: AQHUys/tc6dYs7blh06lnFEfyzMMBA==
Thread-topic: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1

On 2019-02-22 9:41 a.m., Michael Richardson wrote:
>    CAUTION: This email is from an external source. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> Michael Richardson quoted:
>      > From https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
> 
>      > "The two people who did get popped, both were traveling and were on their
>      > iPhones, and they had to traverse through captive portals during the hijack
>      > period,” Woodcock said. “They had to switch off our name servers to use the
>      > captive portal, and during that time the mail clients on their phones checked
>      > for new email. Aside from that, DNSSEC saved us from being really, thoroughly
>      > owned.”
> 
> Christian Saunders <[email protected]> wrote:
>      > The active element here seems to be the forced use of insecure DNS
>      > servers.
> 
> I disagree.  It's due to forced use of the captive portal's DNS.
> A device will in general have no trust relationship with a captive portal.
> It has no reason to trust the captive portal to do DNS correctly
> (and no way to get privacy for the requests either).
> 
>      > The fact that the insecure DNS configuration was forced in order to navigate
>      > a Captive Portal is incidental, though unfortunate.
> 
> So to me, all captive portal DNS systems are by definition insecure.
> If one needs to do a DNS lookup in order to get traffic and get a
> redirection, then the portal is insecure.  And that's why we need an API that
> involves more than just capture port-80 and redirect.
> 
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     [email protected]  http://www.sandelman.ca/        |   ruby on rails    [
> 
> 
> 
> 
> _______________________________________________
> Captive-portals mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/captive-portals
> 

Point taken - and I agree with your reasons as well as your solution.

My meaning was only to suggest that there are other reasons/cases where 
a network or application may force a particular set of DNS servers and 
that users in those cases may be exposed to the same attack.

Christian Saunders
Sr. Software Architect, Wireless Core
Shaw Communications Inc.

References:
- [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
  - From: Michael Richardson <[email protected]>
- Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
  - From: Christian Saunders <[email protected]>
- Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
  - From: Michael Richardson <[email protected]>

Prev by Date: Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
Next by Date: Re: [Captive-portals] IETF 104 Prague -- call for agenda items
Previous by thread: Re: [Captive-portals] poor captive port design --- A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security
Next by thread: [Captive-portals] capport - New Meeting Session Request for IETF 104
Index(es):
- Date
- Thread