Root Causes 356: Will MPDV Eliminate Email-based DCV?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  So we have a topic today - we talked not that long ago about MPV multi-perspective domain validation and just a real quick capsule summary - The idea here is that people can use Border Gateway Protocol attacks, BGP attacks, essentially to fool DCV. And if you do that DCV from multiple different points, either logically or geographically, or both, you can beat those BGP attacks, and therefore prevent this attack against DCV. And this is what they call multi-perspective domain validation, which for the rest of the podcast, I think you and I will just reference as MPDV.

  So one of the questions that I think is worth asking is, are there methods of DCV that are not going to be MPDV tolerant? Or are there going to be methods of DCV, where MPDV is insufficient to protect against a BGP attack? And if there are, perhaps those methods need to change or go away, which I think is an interesting thing that the industry needs to think about.

• 

  Jason Soroko

  It is interesting. And Tim, by the way, Root Causes 327. What is MPDV? If you want to catch up. So let's get back to this.

  Tim, whenever I am doing a DCV, a domain control validation, I pretty much without exception, will use the DNS method. And I like it because even though I don't like shared secrets, it is a really nice easy way of taking a shared secret, and essentially proving to my CA of choice that yes, I have control over the DNS of this domain, which means man, I own the domain, man. I do.

• 

  Tim Callan

  And that's probably - - to the degree that you can make this argument - that's probably the cleanest and most secure of them. You're just right there in the DNS and you're saying, here I am, you know, with my hands under control levers. Right? There are other methods. So that's a widely used and respected method.

  Another one, of course, is the HTTP method, which is where you basically install a file with the shared secret in it and the CA goes and they find that. Another method is using ACME. The ACME protocol. And yet another method, the one that I think is most interesting to me, is the email method.

  So how the email method works is there are a set of constructed email addresses that are allowed to be used and it's things like postmaster@, webmaster@. There's about seven of them, or so. And the CA can send the shared secret to one or all of these and then the subscriber, if they're able to receive that message, and close the loop on the secret, are deemed to be in control of that domain name. And this is the one that worries me because all I have to do is get that email and if I can use a BGP attack to cause that email to be delivered to me, then I have circumvented the DCV process using BGP.

• 

  Jason Soroko

  Yeah, Tim, and I'll tell you what, if I'm thinking about levels of difficulty for the bad guy, email takeover of some other kind, is probably easier than a BGP attack anyway.

• 

  Tim Callan

  Well, there you go.

• 

  Jason Soroko

  So there's already easier attacks against - - you know, like, for example, the way that I'm doing it, right, let's use both of the alternatives. As an example, you would, as an attacker, have to take over my capability of administrating DNS. In the other case, you have to have, as the attacker, successfully be able to modify files on my web server. Right?

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  Which, you know, it's happened. We know that it's happened.

• 

  Tim Callan

  Sure.

• 

  Jason Soroko

  And what I will say, though, is that the sheer numbers of attacks against email implementations, Tim, I would say that it's the weakest.

• 

  Tim Callan

  Right. So that's an interesting point and we could build on that and perhaps we should in an independent episode to say is email based TCP fundamentally insecure, right? Just like foundationally is it insecure to the point where it just shouldn't be a method.

  Within the context of BGP, in particular, it strikes me that this could be solved, right? I could send you a series of emails from three different places with three different shared secrets, and make you return all of those shared secrets. That would knock out the fundamental point behind how a BGP attack works, or three, or whatever the number, right. I'm making that number up. We don't know what the number is. But let's pretend for now that it's three. But would the subscriber be tolerant of this? Would they understand what's going on? Would they actually open and respond to three different emails? Or would they open and respond to the first one, and promptly ignore the other two because in their mind, they checked it off as being complete, right? I don't know about you but if I receive, you know, what appears to be two emails from the same source with what looks like the same thing, I just shrug and figure, ok, something stuttered somewhere and I respond to one of them, and I get on with my life.

  And so even if we could make it BGP resistant, I'm not clear that it works in the world of pragmatic use cases. It's a different matter when you're doing a DNS based DCV where my servers that are located on three different continents, go and look at DCV, or sorry, go look at your DNS and you don't know. You don't know how many servers are looking at your DNS and you don't care. Right? The email thing requires action from the subscriber in a very proactive and considered way and that strikes me as something that in the real world might have a very low success rate.

• 

  Jason Soroko

  I think, Tim, if I remember correctly, in that episode 327, we, at the very end of that podcast, said something that's very key to what you're bringing up now, which is, by the way, folks, the reason why we're teaching you about MPDV is because it's something we want you to know that your CAs are going to implement, and you don't have to worry about anything but you know, our podcast shows behind the scenes, and we’re showing you what's going on behind the scenes in the CA industry. And it's very important. So there you go.

  And what we said was, you don't have to go off and do anything. And you're absolutely right in saying that on the email side of things, you'd be forcing people to do something unnatural and from a security standpoint, how do you guarantee that the practitioner who's sending an email has done it from, you know, truly independent locations?

• 

  Tim Callan

  Actually, I think you're right, which is that I'm pretty darn sure we did predict that at the end of that episode. I think we’re dead on now that you bring it. We may have spoken prematurely. I'm not 100% convinced anymore that email DCV is going to survive or is going to survive without material alteration that makes it fundamentally harder for the subscriber to use.

• 

  Jason Soroko

  I know the email method is popular. But, on the other hand, you know, as a security practitioner, it makes me wince.

  And I think with BGP, I think your initial question is the right one, which is, will it survive the MPDV era? Because it'll just seem like, well, here's another Achilles heel in the whole system.

  And, you know, let's say BGP attacks, get, you know, people get really good at it because right now, it's hard. Right?

  But like every other type of attack, it can get kiddie scripted, you know, to some level. You know, there can be libraries written by real sharp people that just make it incredibly easy to implement. And I think, Tim, I remember playing with metasploit and, you know, I've had my hands on Kali, you know, umpteen number of billion times over the past X number of years and it's a lot of fun because it's the white hats completely blowing the doors off of insecure systems. So the argument of security through obscurity just is never able to be used because it puts the attack in the hands of anybody with basic skills.

  And BGP is one of those things where you just don't see it because it's just too scary right now. We're not ready.

• 

  Tim Callan

  Right. But yeah, to your point, we've seen this with everything, every kind of security attack. Once upon a time, people were considered sophisticated if they were doing massive phishing attacks. Once upon a time people were considered sophisticated if they were doing cross site scripting. Those things now these things that are just now, you know, you just take them off the shelf in a jar. You know, at one point, this was the forefront, and I don't know enough about how it's done, but I can see it as being completely credible, that BGP will go through that same evolution over time.

• 

  Jason Soroko

  Correct. And so Tim, like I say, I think you need to add up the totality of attacks, potential attacks against email. And we may have to decide - - whether BGP is used against it or not, my argument is, I think as an industry, we need to look at that and say, hey, is, is that below the threshold? The acceptable threshold of risk?

• 

  Tim Callan

  Yeah. And then so and I think all the other ones I believe should be ok. Everything should be able to be implemented on a CA, the multi-point strategy should work equally well. I really think email is probably the one that's going to need some scrutiny. Do you agree with that?

• 

  Jason Soroko

  I think it needs scrutiny. I'm definitely not declaring it, hey, this has got to be deprecated. I'm not saying that.

• 

  Tim Callan

  Yeah. Me neither. Me neither.

• 

  Jason Soroko

  What I am saying, though, is, I think you're calling it right, Tim. The post MPDV era where all the CAs have it implemented, is the point at which we say, hey, maybe it's time to really look at the email, you know, do we change it? Which nobody's gonna, like, if we change it.

• 

  Tim Callan

  No.

• 

  Jason Soroko

  And if we can't change it practically, then maybe we force people to prove that they have DNS access or, and I don't think it's something that's too far to have to ask, which is, can you at least put a file in your file system? Right?

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  And I think that you have to do one or the other. Now, somebody very smart from the web hosting world might come to this podcast and say, yeah, but we need the email method, because the other two don't always work and we need the cert fast, etc., etc., right?

• 

  Tim Callan

  Yeah. I think where it comes up a lot is in large organizations where there's an extreme division of labor. Where I'm the person who is responsible for obtaining certificates and the people who are responsible for operating the DNS are different people and I don't have that. I don't have those rights. I don't have those privileges. I can't go do that. Right? And then the group of people who put files on the website are also different people. And I also don't have those privileges. So now all of a sudden, I have to coordinate with someone else in another department, perhaps in another building, perhaps in another country, in order for me to get certificates and under those circumstances, the email method is very popular, because I can do it all myself.

• 

  Jason Soroko

  100%. You've got it. The division of labor problem is the main reason why it still exists and that is the truth. However, a controversial statement. Why don't I just make one? If the CAs have to up their game with MPDV, for the good of everyone - I think it's a good idea - Let's up the bar. Let's up our game. Let's take away BGP attacks from the equation. Then what I like to say is, how about on the acquiring side of public trusted certificates, you guys up your bar as well?

• 

  Tim Callan

  Yeah. Or another way of kind of saying the same thing is, yes, it's inconvenient for you to have to coordinate with another department to get a file put onto your website but what's more inconvenient? That or being owned by a bad guy. Right?

• 

  Jason Soroko

  I would say if you're still using email as your DCV method, then I would say you better be watching your CT logs. That's a terrible thing to say but I'm gonna say it.

• 

  Tim Callan

  So yeah. So last point on this, and this was laced throughout the whole thing, but make it let it be clear, which is, while you and I are both predicting that MPDV is a sure thing in the future - and I'm predicting it's a 2025 reality is what I'm predicting - the actual implementation of it is not in any way settled and so you and I are kind of speculating and making things up - and that number three is completely made up - but you know, all of that is going to have to get worked out and the specifics of how that does get worked out might lead to a set of more informed and nuanced conversations that are subsequent generations to this conversation you and I are having right now. And there's a lot that's unknown about specifically how MPDV is going to be implemented and what's going to be required, right, what the rules are going to be that you have to follow. However, this strikes me as a big one. The potential elimination of an entire form of DCV would be a pretty big deal and a pretty major change in the world of public certs and it's worth thinking about because it might happen.

• 

  Jason Soroko

  Yeah. So in other words, this is a heads up episode. Where it's like, let's all be thinking about it. And it's a possibility that this might come up and if it's the end of the world for you, well, pipe up, but maybe there's other solutions that can be come up with and we're not going to solve it here right now, Tim. But, again, it's about heads up. This is coming.

• 

  Tim Callan

  Agreed. Agreed. And it is coming. MPDV. Again, I think it's de fait accompli. I think it's a sure thing. I think just the question is exactly how and exactly when and that's what we're talking about today. And by the way, I'm sure this isn't the last time we're going to have a conversation about this because it's going to be a pretty major change in the web PKI.

• 

  Jason Soroko

  Can I put an asterisk on the end of this podcast, Tim?

• 

  Tim Callan

  Please.

• 

  Jason Soroko

  You mentioned ACME as a protocol. As an alternative. I would say that just keep in mind folks, ACME can use all the above. ACME doesn’t have its own particular form of DCV. It uses those DCVs that we had mentioned previously.

• 

  Tim Callan

  Yep. Fair enough, Jay. Fair enough. All right. Thank you, Jason.

• 

  Jason Soroko

  Thank you.

• 

  Tim Callan

  This has been Root Causes.