Wouldn't more round robin entries ultimately make it harder for the attacker though? Assuming an attacker has compromised a single host and there are four validators each choosing a random IP from the list of hosts. There's a better chance all of the validators pick the compromised host when there's only 2 (~6%) than when there's 6 (~0.07%), right? (Statistics is very much not in my wheel house, so I could be completely off here)
I believe you absolutely correct.
I am looking at this problem like one of those math questions where some detail misleads me to an unexpected assumption. In this case I am staring at the interplay of Validators vs IPs, and trying to reconcile 2 IPs (a common number in this scenario) against 3 validators (which I believe is the current deployment), and that is really all irrelevant because of the simple math you posted. The ratio of ips to resolvers should not affect the metric you noted.
I hope we can assume there exists a somewhat random selection to the IP in the DNS. I haven't been able to find the code in Boulder or Unbound. There is an implementation detail in newer DNS resolvers that will re-order the list of IPs based on their proximity. I'm not sure of the exact details on this, other than I've read it's an artifact of the IPV6 standardization.
Your comment is suggesting I need to re-read "Proofs from The Book" tonight.
I cheated and used web based coin and dice simulators that I found while answering.
I cheated and asked @discobot roll 4d2
1, 1, 2, 1
I'm typically quite good with statistical models (and have used them profusely), however I'm not sure why they're even needed here.
Correct me if I've missed something, but as I see it the purpose of the http-01 challenge is to delegate proof of ownership/control/assignment of the dns for a particular fqdn to control of an(y) AAAA/A record for that fqdn. As long as the dns zone for that fqdn is not compromised, the actual value of an(y) AAAA/A should be arbitrary as assigned by the fqdn's owner(s)/controller(s)/assignee(s). The actual value of such an AAAA/A record, being arbitrary, is entirely irrelevant from the security standpoint of the http-01 challenge (though not irrelevant from the pragmatic standpoint of performing the challenge).
TL; DR: If someone wants to point their IP address record(s) for their fqdn to compromised/invalid/nonexistent/private servers, that's their prerogative. If it/they can't be used for validation, that's a technical execution problem, not an http-01 security problem. All of the security of an http-01 challenge lies in having control of the AAAA/A records in the dns. Using that control in an ineffective way for satisfying the http-01 challenge does not a security violation cause.
I'd just use DNS validation, it skips the entire problem of load balanced http validation.
Conceivable, a DNS MITM weakness could always exist; One that could fool some of the people (some of the time). But never all of the people (all of the time).
Which explains the need for the multiple perspective validation.
One would have to control a ridiculously large part of the Internet (sounds a lot like the 51% crypto attacks) to be able to getaway with such an elaborate spoof.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.