
DEAD: Domain Emails Are Dead - rasengan
https://www.privateinternetaccess.com/blog/2018/06/dead-an-attack-vector-on-web-services-due-to-e-mails-faults-due-to-dns/
======
Nadya
I'm unable to access this site due to my work's blanket ban of any public
VPN/Proxy sites. Can someone post an alternative? By the name alone, this
sounds like it could possibly concern me.

~~~
rasengan
Here is a copy paste of the main text:

PROBLEM DEAD is a potential vulnerability in the DNS system that exists due to
the poor method in which it was implemented in totality. DNS, which is largely
controlled by ICANN, is susceptible to third-party takeover and simple
expiration.

Modern e-mail utilizes DNS extensively. E-mail users create e-mail addresses
with the form user@domain.com.

Websites, all over the world, utilize e-mail to verify people’s identities
(many let you reset your password with just an e-mail).

Since DNS is susceptible to third-party takeover and simple expiration, it is
deterministic that many e-mail address domains will expire (e.g., death of a
person and expiration of said person’s credit card), leaving people’s accounts
on websites, all over the world, susceptible to account theft.

Additionally, this theft may be legal in many jurisdictions as control of an
e-mail address, often times, also signifies control of an account.

STOP GAPS The suggested stop gaps, below, are simply workarounds in lieu of
properly creating accounts for people using a different identifier than
e-mail. However, these may help.

Securing Content Client-side PGP E-mails encrypted with PGP will be unreadable
by an unintended recipient, even in the event the domain/e-mail is hijacked,
unless, the intended recipient was already completely owned (had their private
key stolen) by the unintended recipient. Detecting Manipulation Server-side
DNSSEC Implementation Keep a cache of certificates provided by root and
checking for change. Requires DNSSEC to be implemented on all recipient e-mail
domains which is far from the case in 2018. Server-side Domain Ownership
Monitoring: Compile a list of all domains in an ephemeral dataset from all
users’ emails. Check if any of the domains may have changed ownership. Check
if a domain expired. Check if a domain was newly purchased post creation of
the user’s account. Additionally, check if MX records, including IP addresses,
changed. Ideally, attempt to ‘fingerprint’ the MX as even an IP can be BGP
hijacked. In the event ownership changed Block password resets for accounts
that may have changed ownership. Notify user that the reset was blocked due to
the above reasons and get in touch with the domain vendor and attempt a
different verification method Send a message to user’s secondary e-mail if one
exists. FIX Don’t let your critical infrastructure rely on e-mail and the
currently unverifiable version of DNS.

~~~
Nadya
Ah, this is in response about the guy who "hacked" the legal emails and the
concerns it raises potential issues from 3rd parties that I already need to
place some level of trust in. I can safely disregard, I'm not too concerned
about this or my emails being readable after I die and my domain expires.

Thank you for posting! I appreciate it.

