This post looks at how an attacker can intercept and skim emails sent from one email supplier to an alternative by performing a DNS MX record hijacking attack. While our research on the state of email beginning security shows that this attack is less pervasive than the TLS downgrade attack discussed in a prior post, it is similarly efficient at defeating email in transit encryption. This post explains how this attack works, how it may be mitigated and to what extent it also influences the safety of a website. Before delving intohow this attack works and countermeasures, I will in brief summarize DNS and DNS MX information for the readers who don’t seem to be normal with this aspect of the Internet.
If you are prevalent with this topic, that you can skip a better two sections. DNS domain name serverrecords are used to translate a website handle, let’s imagine , into an Internet deal with, which are frequently called IP addresses. This translation is required simply because computer systems only understand how to talk with an IP tackle and not a website handle. This translation is also valuable since it allows multiple servers and IP addresses to have an analogous domain address, which allows redundancy and scalability. It also helps make the Internet faster by permitting big features and CDNs to host the same content in a variety of international locations on a number of servers and return the IP address of the nearest server to the buyer once they look up the domain address.
This method is called geoIP load balancing. DNS hijacking attacks work as follows. The attacker poses as or compromises the DNS server used by Alices mail server to find out where to convey Alices email to Bob. Instead of returning the legitimate IP address, the DNS server returns the IP address of a server owned by the attacker, as illustrated in the diagram above. Alices server believes this IP address is the respectable one for Bobs server and provides the e-mail to the rogue server.
The attacker reads the e-mail and to make the attack invisible, forwards the email to the real server. This attack is conceivable because DNS was not designed with security in mind and because of the, there’s no default defense mechanism baked into it to authenticate that the request was sent by the rightful owner of the domain. This shortcoming will eventually be fixed with the deployment of DNSSEC and DANE. This deployment and alternative routes to mitigate this type of attack are discussed at the tip of this post. Can an attacker use DNS hijacking to avoid HTTPS and skim or intercept web pages?At the moment 2015, the answer is complicated but expectantly in a few years the reply may be an easy no : Like email until DNSSEC is deployed and enforced, websites are susceptible to DNS hijacking. However, there are a few mitigations that make such attacks enormously harder than for emails, at least until almost a similar mitigations are deployed for emails in transit, that’s what Gmail and any other big email providers are running on.
Here are the 2 key modifications that make DNS assaults harder in opposition t websites. HTTP vs HTTPS separation: In the net world, the non encrypted edition HTTP and the encrypted edition of the protocol HTTPS use different addresses and are treated in another way by browsers same orgin policy. When you enter a URL starting with https, e. g. , you are instructing your browser to determine an encrypted connection.
In that context, conducting a DNS hijacking attack does not help the attacker because they will still need a legitimate certificates for the domain simply because the browser will refuse to determine the relationship differently. So, if you type a URL starting with https or click a link with the https prefix, you are safe. HTTP Strict Transport Security HTST: This specification helps mitigate what happens should you dont specify whether you want to talk to the server in clear http or encrypted https. Typing the URL without delay in a browser is common, as an example, elie. net instead of .
In that case, the browser has no idea if you want the encrypted edition of the positioning or not. For backward compatibility purposes, as some sites dont help HTTPS yet, your browser will default to the unencrypted edition. HSTS aims to mitigate this issue by allowing websites to inform the browsers that they need to only connect over HTTPS. Technically, an internet site sets HSTS by sending a HTTP header to the browser. Once this header is received by the browser, every subsequent request to the site and possibly its subdomains can be mechanically upgraded to HTTPS by the browser.
Therefore, this also protects towards the set of assaults in which the attackers supply to their sufferers a link that starts with http:// in an try to intercept the communique, since the browser will upgrade it to HTTPS before the request is shipped over the network. The long run solution to this issue is the deployment and enforcement of DNSSEC, so one can with a bit of luck make DNS hijacking an obsolete attack by requiring DNS statistics to be signed with the domain owners inner most key. This will assure that an attacker wont be capable of send a spoofed DNS record to the buyer because they cant forge the signature. This will protect every protocol, adding SMTP and HTTP, against those attacks. In the shorter term, mail providers are running on arising a technology such as HSTS but for SMTP site visitors. This SSTS protocol the name is yet to be defined will let us pin a certificate and enforce that all emails are sent encrypted.
This will prevent both MX hijacking assaults and TLS downgrades for providers that deploy it. This protocol continues to be in the early stage of specification but with a bit of luck deployment is not too far in the future. Today, signing emails with DKIM and implementing signing with DMARC help alleviate the difficulty by combating an attacker from enhancing intercepted emails. The attackers dont have access to the official DKIM inner most key, so when the receiving server checks for the presence of DKIM and checks the e-mail signature, if the e-mail was modified whatsoever, the receiving server will reject it. DMARC also helps in detecting attacks in opposition t your domain by allowing you to supply an email handle where one can receive a statistical report of how many emails have failed the DKIM signature check.
If you found this post useful, please share it on your well-known social networks. This helps me to understand if my posts are useful and motivates me to maintain writing. Please also let me know if you would be drawn to me doing a series of posts on how email authentication technologies work.