Nice!

Picked up my first hacker attempting to spoof the Covid Cleared blog.

As far as the "hacker" goes, it is a particular form of hacking that falls into social engineering and works using DNS.

Basically how does someone know they have reached the correct web page?

This is a problem we explore in the CAB forum for browsers and certificate authorities. It relates to the confidence that the "relying party" has that another identity is legitimate and not being spoofed.

This is done via a DNS lookup, and perhaps a web search before that lookup which has made search engines very popular since they were first introduced.

How one knows what is on the other side of an Internet connection involves different steps of verification. In general one connects to the website and is presented a digital certificate, how that certificate is built and listed is my area of expertise. Generally we have made it very easy to do, and free using the ACME protocol.

DNS is just part of that, and a relatively weak part. From the beginning, it was meant to be a handle, not a front end to a complex backend. Now with services, almost anything can be done on the web.

Yet DNS squatting is profitable. Or simply being first to register a good domain name.

There are of course more secure alternative ways of doing this. Different approaches to naming and numbering on the Internet.

Dating back to the original proposal for expanding the Internet from academic usage to commercial usage around 1993.

If you look at Lauren's web page it also has a little icon for the Scout Report, a concept of quality web sites and resources that came out of the same 1993

Funding from the National Science Foundation that included the X.500 Directory.

Keep in mind when Matt Blaze eventually sold crypto.com, it was purchased for millions.

Vortex.com, one of the oldest domains, (easily in the first hundred), was registered by Lauren Weinstein before the Internet was even fully using DNS.

The registration was processed and put on the manual hosts.txt list by Marty Schoffstall of PSINet. Domains used to be free. Yet not so easy to register. I have registered a bunch of domains, from entire countries, to newspapers like the Washington Post, to very specialized government authorities that span two states. The DNS system can accommodate all that. I also was asked to negotiate the first domain purchase.

Since Covid Cleared is simply a generic name on the Internet, it is possible to 'typosquat" and register a variant, using a different TLD. It's not really hacking per se, unless some other things happen.

A secondary market for domain names was not originally anticipated since there was no actual "semantic link" between monster.com and Monsters Inc., or Famous Monsters from the 1950's. Disney has a lot to do with our current copyright situation.

Thus one ends up registering not only the domain you want, but often  other "protective" domains using different TLDs. For a new unique domain that you like, that is not already used, expect to pay 12-20 $. Different registrars will charge a different price.

Companies that provide domains profit on each one.  And obviously the renewals.

They provide secondary markets to facilitate buying a domain name on a popular subject. Having a domain on a "subject" can be profitable.

The thing is there has been an explosion of customized TLD from the original set. Thus one maps a domain name, or email address into an X.509 digital certificate that uses the domain name as part of the certified content, or attributes.


One CTF point on the application security track regarding the UX.

The browser correctly reported it and failed with the following error message

DLG_FLAGS_SEC_CERT_CN_INVALID

That would be *.parkingcrew.net in the common name in terms of the CTF.

However the DNS query is  manipulated, (and there are many possible ways that can be done) your browser will typically do an entirely separate check to see if that certificate is actually valid in terms of the root certificates that you trust. This is a certificate chain. Since the DNS and the common name did not agree, it thru an error.

It does this via the certification path.

In this specific case it chains up to Digicert's Global Root G2 root, and the certificate for anything at the domain parkingcrew.net whows as  valid, but pinning the DNS to my blog to that results in the browser throwing the certificate invalid error.

From a UX perspective, it is  not a good idea to accept that certificate and the software does the right thing but how many users will ignore this and click through at their own peril?

In general this can point to the difference between DNS and X.500/LDAP and where things can go wrong.