Does DNS spoofing defeat SSL/TLS web security?

Question:

2012-05-07 10:35:35 UTC

I've been trying to understand exactly how SSL certificates work on a technical level to provide website security. I have a scenario in my head which I believe defeats SSL easily, and I'm wondering if someone can confirm. If someone was able to man-in-the-middle or otherwise become your DNS server, wouldn't it be possible for them to give you fake DNS responses, redirect your HTTPS://securewebsite.tld to their own machine, provide a certificate that website has from a well-known CA, and effectively trick your browser into thinking you're at the actual site, as from what I gather, all the SSL certification does is check domain name, and it will be right to your browser?

Three answers:

BurrintheSaddle

2012-05-07 10:45:09 UTC

No for one reason, SSL is tied to the originating machine.. the person would receive and error when browsing the spoof address.

SSL uses the reverse dns for address checking.

I manage several servers, and if I the web SSL to a "new physical" I have to regenerate the SSL CSR and CRT file.

Browsers will detect the mismatch and cross site errors and alert the user.

MITM only serves to give the appearance of the "same site". for the unwashed masses who are stupid enough to do a click through the browser alert.

2012-05-07 11:00:21 UTC

You might want to read this article first, then follow through with some threads from links provided in it (many are at the end of the article):

http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/

The fact that Cert's are 'trust on first use' by stock browsers leaves then vulnerable to various manipulations, resembling the scenario you describe.

Firefox, bolstered with a couple of add on's helps expose those attempts:

Certificate Patrol, HTTPS Everywhere, and Perspectives are helpful.

https://addons.mozilla.org/en-US/firefox/collections/dunbar-pappy/dunbarpappy/

Their respective websites describe the mechanical details.

Moxymarlinspike and his group do some nice work.

2016-10-01 04:41:06 UTC

you will desire to checklist it firsts on your ISP. He can sparkling the cache of their DNS servers, and that would desire to get you lower back on course. A spoofed DNS oftentimes is desperate by the cache to do it particularly is works and as quickly as the cache is cleared, it is going to do a sparkling study on your appropriate I.P. handle. to objective if it particularly is the priority, have somebody you already know verify the IP from yet another region (and distinctive ISP) and notice in the event that they land up at your internet site, or on the spoofed internet site. Catching the unquestionably individual who did it particularly is only approximately impossible, or a minimum of somewhat confusing besides as time ingesting and high priced, and except you're keen to bear the brunt of those fees, it won't likely land up concerning catching the guy, or fines being in touch. only be lifelike approximately it, the main needed element is you getting lower back on line.

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese