Bogus DNSSEC signature

[sampab...@googlemail.com]

Steps to reproduce:

On an up-to-date Debian Jessie install, run Iceweasel (i.e. re-branded Firefox).

Install DNSSEC Validator from https://www.dnssec-validator.cz/

After installation complete (and Iceweasel restarted if necessary), visit https://addons.mozilla.org/en-US/firefox/ .

You will find that although this gives a green icon at the left of the address bar, indicating an Extended Validation (EV) HTTPS (TLS) implementation, there is also a red circle with an open padlock near the right of the address bar. Mousing over this circle gives a tooltip saying, "Bogus DNSSEC signature".

Clearly, addons.mozilla.org should not produce the latter warning! Am I being MITMed?

Further information:

The SSL/TLS certificate has this SHA256 fingerprint: 51:64:6C:66:2B:B3:FD:3A:3B:AC:9D:97:68:03:F4:E6:86:91:83:BB:48:3B:7D:30:DC:DF:C5:C4:D0:48:7B:41 .

Thanks

[sampab...@googlemail.com]

It looks like either there is a MITM attack in progress against https://addons.mozilla.org (maybe using some kind of SSLstrip-like attack against HTTPS), or else the addons.mozilla.org is somehow poorly configured and behind some kind of NAT64 / DNS64 IPv4 to IPv6 translation bridge.

The latter possibility is discussed a bit in various places:

https://www.ietf.org/mail-archive/web/v6ops/current/msg22680.html

https://blog.luukhendriks.eu/2015/12/03/lets-encrypt-open-beta-dane.html

https://www.safaribooksonline.com/library/view/dns-and-bind/9781449308025/ch04.html

https://en.wikipedia.org/wiki/File:NAT64.svg

[Bram Pitoyo]

Forwarding to the Privacy and Security team. TL;DR – A “Bogus DNSSEC
signature” message is displayed when running Iceweasel and visiting AMO.

> _______________________________________________
> addons-user-experience mailing list
> addons-user...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/addons-user-experience
>

[Panos Astithas]

(CCing the security team to take a look)
I don't see that message on OS X or Ubuntu, but I don't really have
Iceweasel to reproduce, nor am I on an IPv6-enabled network. Are you sure
this is not a client misconfiguration?

> --
> You received this message because you are subscribed to the Google Groups
> "FX Desktop Privacy and Security Team" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to fxprivacyandsecu...@mozilla.com.
> To post to this group, send email to fxprivacya...@mozilla.com.
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.com/d/msgid/fxprivacyandsecurity/CAAicQ-2SLMe_NVxeXQdhiFchEA5LrCBKh2Smxo7MmB8-0g-QnQ%40mail.gmail.com
> <https://groups.google.com/a/mozilla.com/d/msgid/fxprivacyandsecurity/CAAicQ-2SLMe_NVxeXQdhiFchEA5LrCBKh2Smxo7MmB8-0g-QnQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

[Onno Ekker]

Op 13-5-2016 om 20:03 schreef sampab...@googlemail.com:

For me in Firefox 46.0.1 on Windows 8.1 on the very right side of the
address bar it showed a green padlock for a while, which turned into a
big black cross saying "Non-existent TLSA record" upon hovering over it.
To the left of it is a key with a no-entry sign saying "Not secured by
DNSSEC".

So it doesn't look like it's you…

Onno

[Kurt Roeckx]

On 2016-05-13 20:03, sampab...@googlemail.com wrote:
> Steps to reproduce:
>
> On an up-to-date Debian Jessie install, run Iceweasel (i.e. re-branded Firefox).
>
> Install DNSSEC Validator from https://www.dnssec-validator.cz/

Mozilla has had some weird DNSSEC setup for years, where mozilla.org
actually has DNSSEC, but then it has a CNAME to a domain that doesn't. See:
http://dnsviz.net/d/www.mozilla.org/dnssec/
http://dnsviz.net/d/addons.mozilla.org/dnssec/

Note that it actually shows an error for addons.mozilla.org


Kurt

[Sam Kuper]

On 16/05/2016, Panos Astithas <pa...@mozilla.com> wrote:
> (CCing the security team to take a look)
> I don't see that message on OS X or Ubuntu, but I don't really have
> Iceweasel to reproduce, nor am I on an IPv6-enabled network.

Debian is free in both senses, so feel free to try Iceweasel:
https://www.debian.org

An IPv6-enabled network, I can't help you with :)

> Are you sure this is not a client misconfiguration?

As far as I know, it is not a client misconfiguration. I don't seem to
be the only person affected. This link from my earlier message...

>>> https://blog.luukhendriks.eu/2015/12/03/lets-encrypt-open-beta-dane.html

... shows that someone else seems to have experienced either the same
issue, or one very much like it.

Which steps would you suggest I take to check for client misconfiguration?

[sampab...@googlemail.com]

On 16/05/2016, Panos Astithas wrote:
> (CCing the security team to take a look)
> I don't see that message on OS X or Ubuntu, but I don't really have
> Iceweasel to reproduce, nor am I on an IPv6-enabled network.

Debian is free in both senses, so feel free to try Iceweasel:
https://www.debian.org

An IPv6-enabled network, I can't help you with :)

> Are you sure this is not a client misconfiguration?

[Mozilla Security]

On 5/16/16 2:42 AM, Sam Kuper wrote:
> As far as I know, it is not a client misconfiguration. I don't seem to
> be the only person affected. This link from my earlier message...
>
>>>> https://blog.luukhendriks.eu/2015/12/03/lets-encrypt-open-beta-dane.html
>
> ... shows that someone else seems to have experienced either the same
> issue, or one very much like it.
>
> Which steps would you suggest I take to check for client misconfiguration?

That blog points out the mismatch in expectations here. AMO is only
available over IPv4, and it's the IPv4 address which is signed. If your
home network ONLY does IPv6 then you need an IPv6-to-IPv4 translation to
visit an IPv4-only site like AMO. The translation does not match the
original signature.

If you enable IPv4 so you can reach the site directly the error should
go away. Or don't use or rely on DNSSEC for IPv4-only sites.

--
Daniel Veditz
Mozilla Security Team

[sampab...@googlemail.com]

On Tuesday, 17 May 2016 21:01:14 UTC+1, Mozilla Security wrote:
> On 5/16/16 2:42 AM, Sam Kuper wrote:

> >>>> https://blog.luukhendriks.eu/2015/12/03/lets-encrypt-open-beta-dane.html

>
> That blog points out the mismatch in expectations here. AMO is only
> available over IPv4, and it's the IPv4 address which is signed. If your
> home network ONLY does IPv6 then you need an IPv6-to-IPv4 translation to
> visit an IPv4-only site like AMO. The translation does not match the
> original signature.

Thanks for the hypothesis. You may be correct.

That said, I have tried browsing to https://addons.mozilla.org from two different ISPs, and received the same warning both times.

>From the same ISPs, using the same client and browser, https://www.debian.org and https://grepular.com/Understanding_DNSSEC both give green icons, as do many other sites using DNSSEC.

> If you enable IPv4 so you can reach the site directly the error should
> go away. Or don't use or rely on DNSSEC for IPv4-only sites.

It is 2016. DNSSEC and IPv6 are increasingly widely-deployed. Clients are not necessarily in control of the intermediate connections' IP versions.

Mozilla should support the use case of clients connecting to AMO via IPv6 and checking DNSSEC validity. A "Bogus DNSSEC" warning is discouraging, after all, and reduces trust that the connection is secure.

[Andrew McKay]

Could someone file a bug against AMO in bugzilla for ops to look at please?

https://bugzilla.mozilla.org/enter_bug.cgi?product=Cloud%20Services&component=Operations:%20AMO

On Wed, May 18, 2016 at 8:01 AM, <sampab...@googlemail.com> wrote:
> On Tuesday, 17 May 2016 21:01:14 UTC+1, Mozilla Security wrote:

>> On 5/16/16 2:42 AM, Sam Kuper wrote:

>> >>>> https://blog.luukhendriks.eu/2015/12/03/lets-encrypt-open-beta-dane.html

>>
>> That blog points out the mismatch in expectations here. AMO is only
>> available over IPv4, and it's the IPv4 address which is signed. If your
>> home network ONLY does IPv6 then you need an IPv6-to-IPv4 translation to
>> visit an IPv4-only site like AMO. The translation does not match the
>> original signature.
>

> Thanks for the hypothesis. You may be correct.
>
> That said, I have tried browsing to https://addons.mozilla.org from two different ISPs, and received the same warning both times.
>
> From the same ISPs, using the same client and browser, https://www.debian.org and https://grepular.com/Understanding_DNSSEC both give green icons, as do many other sites using DNSSEC.
>

>> If you enable IPv4 so you can reach the site directly the error should
>> go away. Or don't use or rely on DNSSEC for IPv4-only sites.
>

> It is 2016. DNSSEC and IPv6 are increasingly widely-deployed. Clients are not necessarily in control of the intermediate connections' IP versions.
>
> Mozilla should support the use case of clients connecting to AMO via IPv6 and checking DNSSEC validity. A "Bogus DNSSEC" warning is discouraging, after all, and reduces trust that the connection is secure.

[sampab...@googlemail.com]

On Wednesday, 18 May 2016 19:52:10 UTC+1, Andrew McKay wrote:
> Could someone file a bug against AMO in bugzilla for ops to look at please?
>
> https://bugzilla.mozilla.org/enter_bug.cgi?product=Cloud%20Services&component=Operations:%20AMO

Done! https://bugzilla.mozilla.org/show_bug.cgi?id=1274066