Domain Name System (DNS) injection is a censorship method for blocking access to blacklisted domain names. The method uses deep packet inspection on all DNS queries passing through the network and injects spoofed responses. Compared with other blocking mechanisms, DNS injection impacts uninvolved third-parties if their traffic is routed through a censored network. In this paper, we look for large deployments of DNS injection, measured from vantage points outside of the censored networks. DNS injection is known to be used in China since it leaked unintentionally into foreign networks. We find that DNS injection is also used in Iran and can be observed by sending DNS queries to Iranian networks. In mid 2013, the Iranian DNS filter was temporarily suspended for some names, which correlated with media coverage of political debates in Iran about blocking social media. Spoofed responses from China and Iran can be detected passively by the IP address returned. We propose an algorithm to obtain these addresses remotely. After testing 255 002 open resolvers outside of China, we determined that 6% are potentially affected by Chinese DNS injection when querying top-level domains outside of China. This is essentially the result of one top-level domain name server for which an anycast instance is hosted in China.
Web security relies on the assumption that certificate authorities (CAs) issue certificates to rightful domain owners only. However, we show that CAs expose vulnerabilities which allow an attacker to obtain certificates from major CAs for domains he does not own. We present a measurement method that allows us to check CAs for a list of technical weaknesses during their domain validation procedures. Our results show that all tested CAs are vulnerable in one or even multiple ways, because they rely on a combination of insecure protocols like DNS and HTTP and do not implement existing secure alternatives like DNSSEC and TLS. We have validated our methodology experimentally and disclosed these vulnerabilities to CAs. Based upon our findings we provide recommendations to domain owners and CAs to close this fundamental weakness in web security.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.