Block untrusted SSL certificates sites
To block sites with untrusted, expired, self-generated, etc. SSL certificates. Most of the times those sites are malware distributing, C&Cs, exfill data collectors and so on.
How do you envision this being done?
Are you thinking of a new category? Or some automated mechanism that would require OpenDNS to crawl the internet looking for these kinds of sites?
You do realize that OpenDNS doesn't have anything to do with sites, content, URL's, pages, or anything else that is not a domain, don't you? The only information they receive from a user is domain lookup request, and depending on how a user's settings are configured either return the corresponding IPv4 address, or return an IP address that corresponds to one of their blocked pages.
Also, any modern web browser is going to generate some sort of error message or warning about expired or self-generated certificates. I'm not entirely sure what you mean by an untrusted certificate though. As for characterizing these sites in the manner that you do, what is your evidence? I've seen quite a few "innocent" sites that are using self-generated certs, and there are many legitimate ones that for a number of reasons, often just losing track of renewal dates, are using an expired cert but they generally get that resolved within a few days of it being brought to their attention.
Yes, some kind of a new category. As about the mechanism i dunno what would be...
Yes, any browser will warn about SSL errors, but You should be aware that not all communication from is done through the means of a browser. Most malware (including ransomware) communicates with C&C's using SSL, and the number of those are considerably more that those of "a few "innocent" sites that are using self-generated certs" or "forgot to renew".
Yes, I'm well aware that not all communication is done via a browser. However your initial post referenced sites, not domains, which implies browser traffic, not the many other kinds of internet traffic there are. I have no idea what encryption techniques most malware uses, but TLS, SSL, or some other variety of public key encryption is entirely possible, though that doesn't necessarily mean that it uses DNS in the process, and doesn't imply any sort of correlation to legitimate traffic that uses self-signed, expired, or any other sort of certificates with a problem of some sort.
Still, this does seem like a worthwhile idea if the parameters can be sufficiently defined to make it a worthwhile category to block.
I'd suggest a "Malware" category, but OpenDNS Home already has the option to enable Basic Malware/Botnet Protection. It's entirely possible that this kind of blocking is already handled by the more robust Malware/Botnet Protection that is offered by the paid products. Perhaps an OpenDNS employee can weigh in with additional information.
"Most of the times those sites are malware distributing, C&Cs, exfill data collectors and so on."
Interesting research result. Where did you get this from?
Efficiently malicious sites would never use untrusted SSL certificates (if they use HTTPS at all), because due to the browser warnings this generally produces it would be counterproductive to what they intend to do, a too big hurdle for reaching what they want people or networking programs to do.
A separate category with White/Black listing would make more sense, as there could be sites with "untrusted certificate" that users need to use, or viceversa.
- https://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840 (ex.pg.4)
- and, of course, my experience with Dyre and Dridex. At some moment Dyre used to periodically change the self-generated certificate
So self-generated certificates are used for C&C communication to ex-filtrate data and until those C&C's get on blocklists as malware it would be a nice protection to give to unaware users.
I have now worked through it, and I see where I was thinking differently. I treat OpenDNS' content filtering and malware protection more or less for primarily web browsing, i.e. for human users using a web browser. These other malicious activity is almost not related to web browser activity, but different (e.g .self-made) clients/agents are being used by the attackers. And pretty clear that they take every measure to hide their malicious activity in many ways, one option being SSL/TLS encryption, also with self-signed untrusted certificates to minimize cost. Unlike web browsers, there own agents do not take care and do not alert.
After all, I would think that this kind of protection is already in place in OpenDNS business line of services, residing under malware protection. And this is not specifically concentrating on "untrusted SSL certificates sites" and doesn't need to be if such domains are included by other means, almost from their own https://labs.opendns.com/ project.
And if it is part of their business line of services, they most likely will not apply it for home users using the Home versions of OpenDNS. What I have seen, they do not give away business service features away for Home versions.
Also, it doesn't look like that such domains can be easily found using the Big Data of OpenDNS labs, because SSL/TLS is totally out of scope for DNS. Therefore someone had to categorize or tag domains in question as such "untrusted SSL certificates sites", and due to the fast changing nature of this "market" - many domains exist for a very short time only - I do not see any chance to keep up with tagging, as can be seen from the other domain tagging efforts here.
Regardless, I have voted for your idea. Let's see what OpenDNS makes out of it...
I'm glad you got my idea and thank you for your vote.
I must confess that I "cheated" a little, because I already make use of this "bad SSL" protection at my job by using an enterprise proxy which such capabilities, but I thought at the very large mass of (home/free) users of OpenDNS that would benefit from this kind of protection as they are an important target of malware like Dyre, Gozi, etc.
Please sign in to leave a comment.