Can we prevent DNS-based attacks with SSL/TLS?

Question

Consider the following scenario giving a hypothetical attack:

Crypto.com is selling cryptostocks and accepts payments using a payment processor PayEasy.com. The entire site pages (of crypto.com) are served using HTTPS.
While traveling in a foreign country, Bob visits crypto.com on his laptop from his hotel network and clicks on the “buy now” button for 10 cryptostocks. He is forwarded to PayEasy.com using a link <a href='https://PayEasy.com/pay?amt=100&id=bob'/>
An attacker (such as the ISP) manages to redirect all traffic intended for PayEasy.com from Bob’s computer to a fake site he has set up called PayEazy.com. When Bob makes a DNS query for PayEasy.com, the attacker returns the IP address of PayEazy.com.This site also has an HTTPS connection using a genuine SSL obtained from a CA using "domain-validation". The certificate confirms that the site is served by payeazy.com. An attacker must do this, since otherwise Bob’s browser will give a warning and may fail the attack. Thus, Bob effectively clicks a link equivalent to <a href='https://PayEazy.com/pay?amt=100&id=bob'/>
Bob never suspects anything because he sees the green bar and he has not even bothered to read on crypto.com’s site that it uses PayEasy.com. Even if Bob did know that PayEasy.com is crypto.com’s payment processor, he does not notice the slight difference in PayEazy.com. Bob makes the payment of $100 for 10 cryptostocks and waits but they never arrive.
Bob assumes Crypto.com is a scammer and sues them. As the case unfolds, Crypto.com’s lawyers ask Bob to prove that Crypto.com sent him to https://PayEazy.com instead of https://PayEasy.com. Bob cannot prove this and loses. The case could have gone either way since even Crypto.com could not have proved that they indeed sent Bob to https://PayEasy.com and not https://PayEazy.com

Firstly, is this attack realistic. Secondly, how to prevent it? (This is similar to the example given in the article Schneier's PalmPilot)

As an example of this attack: https://google.com is a secure link to google.com. Assuming that this site (security.stackexchange.com) is served over HTTPS. Now edit your 'hosts.file' so that the IP address of google.com points to yahoo.com and click the above link.

Unless both an ISP and a CA are coordinating on this attack (extremely unlikely, and we have much bigger problems.) then the ISP would not be able to redirect Bob's traffic to PayEazy.com without Bob's browser alerting him that the domain's certificate doesn't match the one he intended to visit. — sethmlarson, Jan 15 '16 at 16:32
"An attacker (such as the ISP) manages to redirect all traffic intended for PayEasy.com from Bob’s computer to a fake site he has set up called PayEazy.com" - How would the attacker be able to change the link (from PayEasy.com to PayEazy.com) when the link is being served from Crypto.com by HTTPS, and the attacker (presumably) does not have a valid CA-signed certificate for Crypto.com in order to pull-off a MITM attack for this site? — mti2935, Jan 15 '16 at 16:36
@mti2935 I believe he means redirect by saying the ISP simply routes all traffic from PayEasy.com to PayEazy.com, not physically changing the content of the web page served to Bob. — sethmlarson, Jan 15 '16 at 16:38
Oasiscircle: In that case, the user's browser would warn him of a certificate mismatch. He clicked a link for PayEasy.com, so browser requested PayEasy.com, but the site served a certificate for PayEazy.com. — mti2935, Jan 15 '16 at 16:40
When Bob makes a DNS query for PayEasy.com, the attacker returns the IP address of PayEazy.com. — Jus12, Jan 15 '16 at 16:42
Jus12: See comments above. This would cause a certificate error in Bob's browser, because he requested PayEasy.com, but the site he is being served does not have a valid CA-signed cert for PayEasy.com. — mti2935, Jan 15 '16 at 16:46
@mti2935 But Bob's browser *does not* know that Bob *intended* to visit payeasy.com. According to the browser, Bob opened payeazy.com and the certificate matches. — Jus12, Jan 15 '16 at 16:48
Oasiscircle: Yes, we're saying the same thing. It wasn't clear from OP's post whether he was describing an attack where the link to PayEasy.com served from Crypto.com is tampered with (which is impossible because it is being served over HTTPS) - or whether the link to PayEasy.com is left in tact, but Bob is somehow redirected to another site after he clicks the link to PayEasy.com. Either way, either attack would be impossible to pull off without the attacker having a compromised certificate for ether Crypto.com or PayEasy.com. — mti2935, Jan 15 '16 at 16:50
Jus12: Does the page served from Crypto.com contain a link to PayEasy.com or PayEazy.com? — mti2935, Jan 15 '16 at 16:51
@mti2935 It contains a link to Payeasy.com but as far as I know browsers don't verify if the website link is the same. They just validate that the domain name displayed in the address bar is the same as the one in the SSL certificate. BTW the "similar question" is not really same. — Jus12, Jan 15 '16 at 16:53
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/34371/discussion-between-jus12-and-mti2935). — Jus12, Jan 15 '16 at 16:58

mti2935 · Accepted Answer · 2016-01-16T11:35:35.307

2

No. This is exactly why we have PKI - to prevent this type of DNS poisoning attack that you are describing.

Here is what would happen in the case that you are describing (including the comments), after Bob clicks the link to https://PayEasy.com. First, Bob's browser would do a lookup DNS lookup for PayEasy.com.

Let's assume that the attacker (Bob's ISP or his WiFi provider) managed to return a false IP address for PayEasy.com, and returns an IP address to a web server that the attacker controls.

OK, so now Bob's browser connects to the attacker's web server. But - here lies the problem - the attacker's web server serves up a certificate for PayEazy.com. At this point, Bob's browser knows that something is up, because the browser requested PayEasy.com, not PayEazy.com! Bob's browser would show him a warning of the certificate mismatch, and Bob would be wise to cease connecting with the site.

edited Jan 16 '16 at 11:35

answered Jan 15 '16 at 17:04

mti2935

21,098
2
47
66

Bob's browser will show a mismatch only if the domain the site claims (payeazy.com -- the attacker's) does not match with the one in the certificate. In this case it does. Because the attacker has the certificate for payeazy.com (the bad site). So the browser will not give a warning. – Jus12 Jan 15 '16 at 17:06
No. Bob's browser requested https://PayEasy.com (because Bob clicked the link https://PayEasy.com). If the site serves a certificate for a different site (PayEazy.com), Bob's browser will show a certificate mismatch warning. – mti2935 Jan 15 '16 at 17:38
1

Sure. See http://security.stackexchange.com/questions/94331/why-doesnt-dns-spoofing-work-against-https-sites – mti2935 Jan 15 '16 at 18:06

score 0 · Answer 2 · answered Jan 15 '16 at 17:34

Actually in case you've described(payment processing) there's one thing you've missed : vendor(Crypto.com) <-> payment_processor(PayEasy.com) interaction. I have implemented such a ties, and that's how it works:

vendor makes a callback to processor: "give me a transaction id for the full details of transaction". Their sig's are checked between them by the certificates they've exchanged by previously
vendor receives id, and redirects Bob to https://PayEasy.com/pay?sid=12345xYz... No "id=bob", "amount=100" - all this info and many other info was passed ALREADY in step 1
Bob sees ALL the data in his browser, and only after that it approoves the payment.

You can even register https://PayEazy.com as a vendor too, but on Bob's side it will be different merchant name in payment confirmation, and this confirmation page will be HTTPS-signed by PayEasy SSL cert. That's it

The payment was just an example of the DNS based attack. Assume that it is a list of "recommended sites" hosted by someone (a static page) and the attack is on one of the links in those site. — Jus12, Jan 15 '16 at 17:43
@Jus12 take a look at [Perspectives Project](http://perspectives-project.org/) — Alexey Vesnin, Jan 15 '16 at 18:35

Can we prevent DNS-based attacks with SSL/TLS?

2 Answers2