[NCAP-Discuss] [Ext] Re: Draft final Study 1 report

Danny McPherson danny at tcb.net
Wed Apr 29 23:29:33 UTC 2020 

On 2020-04-29 18:31, Rubens Kuhl wrote:

> Although not all of them, a good part of service discovery I saw in
> the wild (while doing packet captures to diagnose issues not related
> to collisions) include underline (_), a character that is not allowed
> in domain registrations.
> So most of them are already mitigated by default, and nevertheless
> covered by controlled interruption notification if the query reaches
> the CI servers. Of those 45+ protocols, how many of them use
> non-underline QNAMEs ?

I'm not sure I understand what you're saying.  The DNS-SD protocol uses 
the underscore only in the leftmost label (RFC6763 
https://tools.ietf.org/html/rfc6763 has many examples of this), most 
certainly not at the TLD (or SLD level[?]) level? Can you elaborate?

> The one I remember is WPAD, which is why WPAD is all our reserved
> lists, something that the New gTLD Applicant Group suggested (among
> other strings) during collision discussions.

I'm familiar with that, Verisign contributed to an IEEE Security & 
Privacy paper that we provided to US-CERT which in part led to their 
ALERT on WPAD and name collisions in applied-for new gTLDS, and shared 
some longitudinal data on the occurrence, as I suspect you may recall.  
Summary here:

https://www.verisign.com/en_US/internet-technology-news/cert-alert/index.xhtml

IEEE S&P 2016 Paper here:

https://www.verisign.com/assets/labs/MitM-Attack-by-Name-Collision-Cause-Analysis-and-WPAD-Vulnerability-Assessment-in-the-New-gTLD-Era.pdf

Of course, WPAD doesn't use underscores, nor do some other protocols 
that leverage the DNS for service discovery-esque functions. There's a 
whole list and taxonomy in the earlier reference I provided (see Table 
6), as well as the references therein, if inclined to look.  Of course, 
again, Wessels, Interisle, JAS, and others outlined all of these as 
potentially problematic as well.

> WebPKI has been improved over the years with CAA and more stringent
> criteria to get in and decisive action to get out of trust stores, and
> while it's not perfect, it's a security baseline of what people seem
> to be willing to live with.

Indeed.  That said, it makes me sad when most of those people equate 
privacy to security, but that's a whole different issue altogether, as 
you're well aware.


-danny


> 
> 
> Rubens
>

More information about the NCAP-Discuss mailing list