Karlof Tygar Wagner Shankar

Dynamic Pharming Attacks and Locked Same-origin Policies for Web Browser
---------------------------
Attack against web authentication.  Hijack DNS and send malicious javascript, exploit DNS rebinding and name-based same-origin policy to hijack session after authentication. "Works regardless of authentication scheme used". 

Counter: locked same-origin policies for browser.

Legacy approach: regulate cross-object access control using domain names.
-Web objects: HTTP cookies, HTML docs, images, javascript, CSS, XML.
-Locked by host, port and protocol

Locked same-origin policies enforce access using servers' X.509 certificates and public keys.

Pharming: Adversary subverts domain-name lookup system (i.e. return ICMP host not reachable, force dns refresh).  Returns attacker-controlled IP. DNS cache poisoning/response forgery.  

Near future problem? Malicious wireless routers redirect to spoofed sites. Warkitting.

weak locked same-origin policy: Isolates a domain's locked web objects. "distinguishes legit server using valid certs from illegit using invalid (self-signed or CN/DN mismatches)
-Deployable without breaking existing infrastructure.

strong locked same-origin policy: Uses crypto identity.  sites public ssl keys.  Compares public keys to locked web objects.
-simple, incrementally deployable, backwards compatible mech to opt-in using policy files.  Propose "pk.txt"

3 threat models: phishers (MITM), pharmers (change DNS so resolves to site of their choice), active attackers


Questions:
----------
They claim that if the legit site does not have valid x.509 cert then no better than legacy.  Couldn't we just compartmentalize objects by x.509 regardless of validity?
What's AIA (Authority Information Access x.509 extension)