I recall that subdomains are their own record inside a DNS, which would imply that anyone can claim that their server is a non-existent subdomain of the real domain
To claim a subdomain in the DNS system you have to have the domain first.
What is stopping a scammer from HTTPS certificating a "nonsense.ReputableBank.com"
Submitted 4 days ago by ReginaPhalange@lemmy.world to [deleted]
Comments
BartyDeCanter@lemmy.sdf.org 4 days ago
partial_accumen@lemmy.world 4 days ago
I recall that subdomains are their own record inside a DNS
Well, not a record, but a zone. A subdomain is its own zone. There are additional DNS records that support a separate zone though.
which would imply that anyone can claim that their server is a non-existent subdomain of the real domain
False. The person wanting control of the subdomain must be delegated control from the parent domain. Owners of the parent domain don’t just hand that out to anyone. The mechanism is called DNS Delegation.
adespoton@lemmy.ca 4 days ago
The way DNS works, each dot is authoritative.
So if you want the IPv4 for scam.legitco.com, your computer contacts the authoritative DNS for “com” and asks it for the address for legitco’s DNS. You then contact legitco.com and ask it for scam’s IP. Which it won’t have.
redpotatoes@lemm.ee 4 days ago
They’d need a certificate authority to issue the certificate, and the victim’s browser would have to trust that authority.
over_clox@lemmy.world 4 days ago
I’ve been able to downgrade https sites to plain http sites, through a series of loopholes which I won’t go into.
themoonisacheese@sh.itjust.works 4 days ago
That’s nice, be sure to tell us how it goes when HSTS is enabled
Serinus@lemmy.world 4 days ago
So you’ve… compromised your own security. Grats?
Phen@lemmy.eco.br 4 days ago
Something in the way of “an apartment key is useless if you can’t get into the building”.
Tarogar@feddit.org 4 days ago
There were some rather in detail answers already to which I could add. But instead I am going with a more simple answer that is hopefully also good.
Basically, bad actors want to stay undetected if possible. Like staying in dark places with dark clothing and not making noise. trying to get your own subdomain is more like wearing a high Vis jacket, having Christmas lights on you and broadcasting your presence with a loudspeaker with something like “catch me if you can!” on repeat.
Or even simpler: getting detected is bad for bad actors, doing that is one great way to get detected, they know that so they don’t do that.
Or metaphorically: a drop of water in the ocean won’t get noticed, rain in the desert will.
At the end of the day it’s not about what you can do but if you should do that.
Draghetta@lemmy.world 4 days ago
There are a lot of answers here but I feel they mostly miss OP’s point so I’ll try my own:
What stops a scammer from HTTPS certifying foobar.reputable.com is the trust system.
Anybody can create a certificate on their machine for anything within seconds, even you could create a certificate for www.google.com. The problem is that you, as an issuer, are not trusted by anybody.
Browsers and operating systems are released with a list of issuers that are considered trustworthy, so if you want your certificate to be recognised it has to come from one of these, not from you.
All of these issuers are in the list because they have been individually vetted, and are known to do their due diligence before issuing certificates, so they would not give you that cert unless they know that the bank domain or subdomain belongs to you, and the technical means to achieve this have been explained in other answers.
But if one of these issuers went rogue, or if you hypothetically hacked into their certification authority, then indeed nothing would stop you from obtaining a valid and recognised certificate for foobar.bank.com.
This is why for example Trustcor was removed from this list in 2022: from that position it would be trivial for a certificate authority to allow third parties to spy on people.