[NCAP-Discuss] [Ext] Re: Draft final Study 1 report
Danny McPherson
danny at tcb.net
Wed Apr 29 23:29:33 UTC 2020
On 2020-04-29 18:31, Rubens Kuhl wrote:
> Although not all of them, a good part of service discovery I saw in
> the wild (while doing packet captures to diagnose issues not related
> to collisions) include underline (_), a character that is not allowed
> in domain registrations.
> So most of them are already mitigated by default, and nevertheless
> covered by controlled interruption notification if the query reaches
> the CI servers. Of those 45+ protocols, how many of them use
> non-underline QNAMEs ?
I'm not sure I understand what you're saying. The DNS-SD protocol uses
the underscore only in the leftmost label (RFC6763
https://tools.ietf.org/html/rfc6763 has many examples of this), most
certainly not at the TLD (or SLD level[?]) level? Can you elaborate?
> The one I remember is WPAD, which is why WPAD is all our reserved
> lists, something that the New gTLD Applicant Group suggested (among
> other strings) during collision discussions.
I'm familiar with that, Verisign contributed to an IEEE Security &
Privacy paper that we provided to US-CERT which in part led to their
ALERT on WPAD and name collisions in applied-for new gTLDS, and shared
some longitudinal data on the occurrence, as I suspect you may recall.
Summary here:
https://www.verisign.com/en_US/internet-technology-news/cert-alert/index.xhtml
IEEE S&P 2016 Paper here:
https://www.verisign.com/assets/labs/MitM-Attack-by-Name-Collision-Cause-Analysis-and-WPAD-Vulnerability-Assessment-in-the-New-gTLD-Era.pdf
Of course, WPAD doesn't use underscores, nor do some other protocols
that leverage the DNS for service discovery-esque functions. There's a
whole list and taxonomy in the earlier reference I provided (see Table
6), as well as the references therein, if inclined to look. Of course,
again, Wessels, Interisle, JAS, and others outlined all of these as
potentially problematic as well.
> WebPKI has been improved over the years with CAA and more stringent
> criteria to get in and decisive action to get out of trust stores, and
> while it's not perfect, it's a security baseline of what people seem
> to be willing to live with.
Indeed. That said, it makes me sad when most of those people equate
privacy to security, but that's a whole different issue altogether, as
you're well aware.
-danny
>
>
> Rubens
>
More information about the NCAP-Discuss
mailing list