Root Causes 428: .MOBI Attack Puts WHOIS-based DCV into Question

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

October 4, 2024

White hat researchers managed to take over WHOIS for the .mobi TLD. Among other things, this discovery foretells the death of WHOIS as a valid email source for Domain Control Validation (DCV).

Podcast Transcript

Tim CallanHow you doing today, Jason?

Jason SorokoDoing great, Tim, but I tell you, after reading this blog - sometimes you get a little bit stirred, sometimes you get a little bit shaken. And I think this one did both.

Tim CallanSo this is all crazy and interesting, and let's start out. Let's get the listeners. So listeners, there is a blog from a firm called watchTowr Labs and the headline reads, We Spent $20 to Achieve RCE and Accidentally Became the Admins of .MOBI. And this was published on September 11, 2024, and I mean, first of all, this is interesting, and then some of the consequences of it are, I think, more interesting. So Jason, maybe you can tell us a short story. What was the story from watchTowr Labs? What happened?

Jason SorokoA lot happened, Tim, but I guess I will try to state this real quickly. Basically, what they achieved, and I don't think this was their ultimate goal, but what happened ultimately was through just looking for vulnerabilities in a portal for a top level domain, and that top level domain being .M-O-B-I, MOBI, they were able to achieve the ability to become the WHOIS server. The trusted WHOIS server for .MOBI top domain.

Tim CallanA deprecated domain had been allowed to expire, and they bought it and it turns out that there's just a huge quantity of services and software out there that never, that domain never got deprecated, and so it just works. And the ability they had to do things at that point that they accidentally got was huge and vast. And one of the things in particular that occurred was that they realized that they could perform DCV on certificates for .MOBI addresses without controlling those domain names.

Jason SorokoSo, Tim, let's talk about just some basics in terms of one of the allowed methods of domain control validation. And that is by email. And so if a Certificate Authority wants to be able to figure out, all right, somebody wants to utilize an email-based check about whether or not somebody owns a domain, we will actually use the domain administrator, which is listed in a WHOIS service.
And, we could spend several podcasts just explaining what some of those terms mean, but suffice to say, that is a very, very old type of service which has been around since just about the beginning of the internet, and it lists basically, some ownership information about domains. And one of those things is an email address, which typically looks like something Tim, [email protected]. That's what it would look like. And if you said, well, I own Timswebsite.MOBI, a Certificate Authority, some Certificate Authorities might, might say, well, I will send an email to the address - -

Tim CallanI’m willing to send an email to the address in the WHOIS because that's considered to be authoritative. That is the authoritative owner. And so why can't you contact them directly? That was, like pretty much the original form of DCV. If you go all the way back, I think that might have been the first DCV there ever was.

Jason SorokoActually, I can tell you what the DCV. The first DCV was you had to send a check in the mail. That's how I received a domain back in 1992. But the thing is, Tim, think about that. If that is considered authoritative, then whoever it is that is doing the WHOIS listings has an awful lot of power.
And that's what these guys at watchtower Labs achieved. They achieved administrator. They basically became the administrators of the .MOBI WHOIS.

Tim CallanNow these guys obviously were white hat, and they published what they did, and they did everything right that I can see. So I'm not imputing that, but let's suppose that I were a bad actor instead, and I had gotten this. Well at this point, I could turn around and name your favorite target. What do you want to be? Google.MOBI, Microsoft.MOBI? Be BankofAmerica.MOBI.
And I just go into the record for that, and I put in whatever address I want, and then the DCV comes to me. I say, yep, that's me. I use the shared secret, click on the link and now domain control validation could have occurred for a DV certificate from a legitimate CA who did not do anything wrong, who is not corrupt, who is not malicious, who follows the process, and now you have that, and you can use that for whatever nefarious purpose you want to have. So that's the potential that exists here.

Jason SorokoAnd let's start to narrow it down, because before you throw your desk over and leave the room. Basically, this is saying, the entire internet is just completely insecure. That's not the case. Let's narrow it down.
Basically, this type of attack that watchTowr Labs was able to achieve, it could potentially affect other smaller TLDs. Like, I don't see this happening against .com or other major TLDs, but some of the smaller TLDs, obviously it happened for one, maybe a vulnerability could be found for another. So let's keep our eyes open for that.
But also, Tim, I think this is where I’d like to bring the podcast - -

Tim CallanAnd if in fact, if I can real quick, the fact that a TLD is small doesn't mean that it isn't a great attack vector. If you used all those domains that I rattled off earlier, if you got some kind of communication on your phone and you clicked on it and you wound up on a site and it said you were at, name of your bank.MOBI, and you verified the domain, a reasonable person might very reasonably say, confirmed that I'm really connecting to my bank. Like that is a very, very reasonable attack vector.

Jason SorokoOh, the opportunity for social engineering and gaining people's trust by using major brand names is that's a huge problem, even for small TLDs. Absolutely 100%.

Tim CallanI get that my bank.ski might not work. But, there's plenty of domains where it would work just fine.

Jason SorokoNo question at all. So this is a problem. So let's narrow it down for even further to okay, what is the problem? And Tim, I think what it really comes down to is relying on things like, WHOIS which is very old. It is not secure. Therefore should we rely on it as being authoritative? Number one. And then, to go even further, Tim, email-based DCV, should we still be considering that to be a viable option?

Tim CallanI think that's interesting. So let's compartmentalize those two, because when we get to email-based DCV, we're going to see that there's other problems beyond just this one.
So, obviously, this WHOIS look up, something is going to change here. This very suddenly became a very active topic of discussion and CA/Browser Forum/WebPKI community. And I'm certain that at minimum, the range of permitted activity for DCV using WHOIS records will go down and it could be that who is records as a source of email addresses for DCV might just plain be eliminated as an option, and that's a very reasonable potential outcome of this, just to get around problems like this. So that's happening. That's already in discussion, and I think there will probably be a ballot fairly quickly. I think it will move. I think it will pass. And I think that's going to be a new change that is coming and that sometime, not too far in the future, you and I will be on this podcast saying, hey, we're announcing that the following ballot has passed, and this is what's happening to WHOIS. I think that is coming. Like take it to the bank. If you look more broadly, email in general is a very problematic medium for this kind of thing.
Emails are in the clear. Emails disappear. Emails may not be delivered. There's no reliable return circuit, so you don't know that your email was seen, necessarily, and there's no real response for how email-based DCV is going to get around the BGP problem.

Jason SorokoTim, Root Causes Episode 356, Will MPDV Eliminate Email-Based DCV, is the question we asked. And I guess this episode is really asking the question, will this WHOIS server research also potentially eliminate email based ECV? To me, these are all nails in the coffin that we have been talking about.

Tim CallanI mean email just fundamentally, foundationally, the way email is constructed, it's so old. It's not really constructed for secure use in this kind of use case, and we've been shoehorning it into the use case for 30 years.
But it's not gonna last. It's not gonna make it. Let's just talk about, how would you deal with the BGP problem. Like, literally, would I send you emails from seven different places around the globe?

Jason SorokoIt doesn’t make sense.

Tim CallanAnd you have to click on at least five of them. Like, who is gonna do that?

Jason SorokoNobody. Nobody. And in fact, I'm gonna give we have a colleague, Nick France, who you've heard on this podcast before, very esteemed colleague of ours. I'm gonna give him some credit for saying something very specifically that I think is important here, which is all non-automated forms of DCV are probably at risk of going away for good reasons.

Tim CallanNow, is this going to cause some heartburn? I think it is. Like, you might say, email DCV. Like, why would you do it? At least one of the groups that definitely likes it is certificate purchasers in large enterprises. Not all of them. I don't mean this to paint everybody with the same brush, but this is the thing you come up with a lot and it’s, I'm a certificate purchaser in a large enterprise and I say, I never talk to the guys who manage the DNS. Like, I'm going to put in a ticket, they're going to get to it when they're going to get to it. I'm going to be hanging and waiting for my certificate. I want my certificate. I want to get done with things. I don't talk to the people who manage the website. Same thing here. I'm going to put in a ticket and they're going to get to it when they're going to get to it. And I'm going to be sitting and waiting, and I can't get my certificate, if I want to do file-based DCV. But if I do email-based DCV, then I just get the email, and I can sit at my desk, and 10 minutes from now, it can be over, and I can know it's done, and I can put a check mark on it, and I don't have to come back and track and I don't have to watch my ticket, and I don't have to have to wait three days and all that. And so that is why it persists, there's limits on the things they can control. And this particularly occurs in the large enterprise. If I'm a one man shop and I do everything. I'm an entrepreneur, and I'm starting up my own business. Well, heck, I run the DNS. It's easy. I'm that person. But when you start looking at places where there's this extreme division of responsibility, then it slows things down. There's multiple steps. There's loss of control, and people want to get away from that. And I respect that. Unfortunately, it just isn't a secure method of DCV, and I think probably all this stuff is going to have to go away. Sorry, guys.

Jason SorokoYes. Look, guys, I tell you, it's just like username and password. It's cheap and cheerful and easy, and it's been a way to authenticate since the beginning of time, but proof of domain ownership should not come from being able to answer an email. Period.

Tim CallanAnd so, some of what this means, these things can be solved. You can put together a process whereby a legitimate certificate purchaser should be able to get a shared secret put into a DNS record very simply and easily. You can maybe give them very limited permissions. They can go into their console and they do one thing, and it does exactly that one thing. Like, this stuff can be built and can be set up. It's just that there's lots of competing priorities in every IT organization on the globe, and if you don't have to do this thing, you get to do a different thing instead. And so, companies don't necessarily make that decision. But if email-based DCV goes away and all of a sudden I can't get a certificate in less than 48 hours, the first time there's an emergency and they can't get the cert and they have an outage, all of a sudden that's going to become a high priority item, and that sort of system is going to be put in place. So these are very technically solvable, but I think there's lots and lots of places where they just aren't technically solved.
And so, another thing, listeners, I know that a lot of our listeners are sort of working IT leaders. Listeners, it's only a matter of time before email-based DCV goes away, and maybe you want to be starting to think about what you're going to do procedurally and technically so when it does go away, it's not causing you these problems.

Jason SorokoSo, Tim, I'm thinking about things such as ACME as an example, and the adoption of ACME compared to doing things manually.

Tim CallanWell, and also ACME will do DCV for you. That could be one neat solution. Exactly.

Jason SorokoThat is correct. And so if you have access to your DNS records, the ability to do these things better has been around for a while. And I think for those of you who, you know, you've got your instruction list for how to do a certificate installation, and if email-based DCV is still on that list, you've got to look at that specific part of your steps and try to automate that away using better DNS-based DNS methods. So that's what to do, folks. There's homework for everybody, and I know that that's pain, but trust me, it'll be better overall. And once MPIC is in place, you're going to be really glad that you dealt with this sooner than later.

Tim CallanAnd MPIC is coming. Remember, September 15 is the should for checking. And March 15 is the must for checking. And then moving on in 2025 there's a series of milestones where CAs need to actually start acting on what they what they learn once they're all in place checking by March 15. So, this is coming. It's not far away. It's, in fact, very soon.

Jason SorokoAbsolutely. So there you go, Tim.

Tim CallanThank you very much.

Jason SorokoThank you.

Tim CallanThis has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!