π
Original date posted:2013-12-08
π Original message:On Sun, 8 Dec 2013 13:14:44 -0800, Gregory Maxwell wrote:
> On Sun, Dec 8, 2013 at 1:07 PM, Drak <drak at zikula.org> wrote:
>> Simple verification relies on being able to answer the email sent to
>> the
>> person in the whois records, or standard admin/webmaster@ addresses
>> to prove
>> ownership of the domain
>
> Godaddy and many other CA's are verified from nothing other than a
> http fetch, no email involved.
It's just as easy to steal emails via a BGP or DNS redirect anyway..
you could even take over the actual domain at the registry level by
stealing a password reset via BGP or DNS redirect and actually many
registries will hand over control of a domain by faxing them a forged
driving license in the owner's name anyway so it doesn't even really
need to be a particularly sophisticated attacker. Once you have registry
control of the domain it's easy enough to get an SSL cert too, probably
even an 'extended validation' one.
When Afghanistan was taken over the entire .af TLD was probably
transferred using a forged fax to ICANN
(http://web.archive.org/web/20041017031020/http://www.iana.org/cctld/af/razeeq-letter-13aug02.pdf)
but I guess that's a little different :p
Rob
Robert McKay [ARCHIVE] /
npub1t6β¦he2py
2023-06-07 17:10:32
in reply to nevent1qβ¦kfzt
Author Public Key
npub1t6suh64e65qzzjtthffl6sa3cagp6k9usnx4qev4jsjzf7xud8psdhe2pyPublished at
2023-06-07 17:10:32Event JSON
{
"id": "4f76b5709e14ca7d7b0bd06328159e1e86d0f8e062a09afc63405bfd205aec06",
"pubkey": "5ea1cbeab9d50021496bba53fd43b1c7501d58bc84cd506595942424f8dc69c3",
"created_at": 1686150632,
"kind": 1,
"tags": [
[
"e",
"d517aa463a22abef5f03468f652eeefb44676da99926537d88111078c3e0468b",
"",
"root"
],
[
"e",
"cbc992d7a650ca283c94fa9b715f00970eeffbd9c8402e1d4b9b80e01cfdcd08",
"",
"reply"
],
[
"p",
"4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73"
]
],
"content": "π
Original date posted:2013-12-08\nπ Original message:On Sun, 8 Dec 2013 13:14:44 -0800, Gregory Maxwell wrote:\n\u003e On Sun, Dec 8, 2013 at 1:07 PM, Drak \u003cdrak at zikula.org\u003e wrote:\n\u003e\u003e Simple verification relies on being able to answer the email sent to \n\u003e\u003e the\n\u003e\u003e person in the whois records, or standard admin/webmaster@ addresses \n\u003e\u003e to prove\n\u003e\u003e ownership of the domain\n\u003e\n\u003e Godaddy and many other CA's are verified from nothing other than a\n\u003e http fetch, no email involved.\n\nIt's just as easy to steal emails via a BGP or DNS redirect anyway.. \nyou could even take over the actual domain at the registry level by \nstealing a password reset via BGP or DNS redirect and actually many \nregistries will hand over control of a domain by faxing them a forged \ndriving license in the owner's name anyway so it doesn't even really \nneed to be a particularly sophisticated attacker. Once you have registry \ncontrol of the domain it's easy enough to get an SSL cert too, probably \neven an 'extended validation' one.\n\nWhen Afghanistan was taken over the entire .af TLD was probably \ntransferred using a forged fax to ICANN \n(http://web.archive.org/web/20041017031020/http://www.iana.org/cctld/af/razeeq-letter-13aug02.pdf) \nbut I guess that's a little different :p\n\nRob",
"sig": "02e8de3c71bb6fcaea201cbdf2527d06320e53fdba5dd49ffedfa97288c720e65e255d47ba7114e24d8baca7dc35196ba7529759bfb400a53fc48aa2d126ad52"
}