Bitcoin Forum
December 14, 2024, 11:53:00 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Security warning: OpenAlias plugin vunerability  (Read 332 times)
ThomasV (OP)
Moderator
Legendary
*
Offline Offline

Activity: 1896
Merit: 1353



View Profile WWW
July 09, 2015, 08:04:30 AM
Last edit: July 09, 2015, 08:19:12 AM by ThomasV
 #1

We recently discovered that the OpenAlias plugin, shipped in Electrum 2.0 to 2.3, does not correctly validate DNSSEC records.

A fixed version is in the works, and will be shipped in version 2.4. (ETA: a week)
In the meantime, please do not trust aliases verified by that plugin.

See the release notes for more details: https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

Electrum: the convenience of a web wallet, without the risks
fluffypony
Donator
Legendary
*
Offline Offline

Activity: 1274
Merit: 1060


GetMonero.org / MyMonero.com


View Profile WWW
July 09, 2015, 08:37:40 AM
 #2

We recently discovered that the OpenAlias plugin, shipped in Electrum 2.0 to 2.3, does not correctly validate DNSSEC records.

A fixed version is in the works, and will be shipped in version 2.4. (ETA: a week)
In the meantime, please do not trust aliases verified by this plugin.

See the release notes for more details: https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES

To be more specific: the way it used to work was to split the URL up into parts separated by . (ie. waffle.blah.example.com is split into waffle, blah, example, com) and then check each part (from the last to the first) as follows:

1. concatenate it with the previous parts (so if we're checking "blah" then we'd be verifying blah.example.com)
2. using the system resolver get the NS record for the domain
3. ask the main nameserver (per the NS record) for the DNSKEY for that sub-domain, pass the D0 flag (ie. tell it we want DNSSEC data)
4. if it is DNSSEC signed we should receive the RRSET, which contains the DNSKEY and the RRSIG for that DNSKEY
5. validate that the signature is correct
6. repeat for the next part

This is reasonable, except it doesn't *actually* check the chain, it just checks each part of the chain. For DNSSEC to work you have to start at the root zone (which is .) as that is *the only certificate you will have on your computer*, and then you work your way down the chain, checking delegation at each point. Our checking sub-parts without delegation (and without starting at .) was lazy, and whilst it is unlikely you'd be able to cheat validation the risk is still non-negligible.

The updated verification that ThomasV has written validates the chain correctly.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!