This is a pretty big deal, not so much that a few crypto currency users got robbed, but as a reminder that HTTPS doesn't defend against sustained global DNS hijackshttps://twitter.com/GossiTheDog/status/988816808563093504?s=19 …
-
Show this thread
-
Perhaps worth unpacking this: The attack here was against BGP, which allowed the hackers to intercept network traffic at scale. The traffic they captured allowed them to briefly redirect MyEtherWallet,com to a site they controlled.
2 replies 15 retweets 50 likesShow this thread -
The attackers then did a dumb thing, which is they served a fake HTTPS certificate, so people's browsers noticed, and folks who clicked through the warning lost their money. (HTTPS certificate warnings are there for a reason)
4 replies 20 retweets 66 likesShow this thread -
But the attackers could have done a smarter thing: so far as HTTPS certificate providers are concerned, they were then in control of MyEtherWallet,com. They could have used LetsEncrypt (or someone else) to issue a live HTTPS cert for it, and browsers would have seen it as valid.
7 replies 20 retweets 74 likesShow this thread -
This is a bit of a problem. Because BGP is unauthenticated, so this would be an unauthenticated hijack of a HTTPS website that your browser won't notice. A BGP hijack shouldn't break HTTPS, and now we all need to go away and think how to make sure this doesn't happen again.
12 replies 25 retweets 106 likesShow this thread -
Replying to @pwnallthethings
BGP obviously needs to be deprecated in favor of an authenticated (via PKI) version of it.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @pwnallthethings
This also shows some of the importance of DNSSEC. I don't think you could get a false cert with DNSSEC. (unless some CAs don't check that) Shame end user DNSSEC adoption is miniscule.
2 replies 0 retweets 3 likes
DNS was not changed in this attack. BGP is kinda like DNS for IP addresses - it allows you to change what/where they "resolve to".
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.