Closed Bug 1077323 Opened 10 years ago Closed 3 years ago

Domain Authenticated Named Entities against MITM-attacks

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: mozilla, Unassigned)

References

Details

(Keywords: sec-want)

Attachments

(1 file)

IETF RFC 6698 The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
116.26 KB, application/pdf
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Build ID: 20140924083558 Steps to reproduce: Intelligence agencies and other criminals use TLS-certificates gained from CAs by trickery to run Man-In-The-Middle attacks against Firefox users which rely on TLS-encryption and -authorization. Actual results: MITM-Attack is successful if no other authentication mechanism is used than CAs. Certifcate pinning is only managable for a few well-used domains but not for the mass of existing domains. Expected results: Firefox uses "Domain Authenticated Named Entities" according to IETF RFC 6698 (http://tools.ietf.org/pdf/rfc6698) to validate the TLS-certificate. Two traffic-lights should show the states: DNSSEC: Green: DNSSEC-validation successful Yellow: No DNSSEC-RRs for hostname Red: Validation of DNSSEC-RRs failed DANE: Green: TLSA-validation successful Yellow: No TLSA-RRs for hostname Red: Validation of TLSA-RRs failed In both "Red"-cases Firefox should refuse to load/display data and show an error message. DNSSEC-proxying with DO-/AD-bit is snake-oil as a MITM-attacker can suppress DNSSEC and forge plain DNS resource records. Do not use it!
Have a look at the Firefox-Addon "DNSSEC/TLSA Validator" (https://www.dnssec-validator.cz/) for implementation details.
Keywords: sec-want
OS: Linux → All
Hardware: x86_64 → All
Component: Untriaged → Security
Product: Firefox → Core
Hello, DANE support is still missing from Firefox. Since Firefox 57 any options to implement DANE support via extensions also eliminated. I think Firefox can benefit from DANE implementation because sites with DANE-only certificates will attract additional auditory for Firefox browser (and vice versa).
Component: Security → Security: PSM
See Also: → 672600

This should be invisible to the user and show a security exception if DANE fails or block access if DANE fails with HSTS enabled.

DANE should be more trusted than a CA and enable use of self-signed certificates.

Currently we have no plans to support this.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: