This post is missing a couple of critical components that often get overlooked as the world has got more “web-centric”. I think most people will also notice that a theme here with these attacks is relay attacks:
Broadcast protocols: I very regularly attack enterprise guest environments on wireless security assessments and it’s easy to underestimate how much mDNS/LLMNR is utilized enabled by default and how dangerous it can be. I think most people would be shocked about how much NetNTLM and friends are able to relay too, for example relaying SMB poisoned LLMNR requests to WebDAV Sharepoint sites. Most of this has been Windows centric, but it’s not just Windows, DHCPv6 Router Advertisements are all over broadcast traffic are triviable to spoof and conduct relay attacks from (here’s a some excellent further reading)
DNS poisoning: One common attack that I used to do regularly was to ARP poison DHCP or even the DNS servers to force requests to my local DNS server, then utilizing that I would look to see if HTTP was offered and would in-line inject content that I needed for either further relay attacks or phishing. HSTS might be common, but people hit “new sites” more than most people think and preloading only goes so far, an attacker only needs ONE to not be configured properly and you need all of them.
In the end I mostly agree with the premise (I love working from coffee shops) and folks who take even just a bit of precaution can probably be fine, but the modern state of attacks on networks isn’t really just about “sniffing” or traditional HTTP MitM and a lot of the recommendations about VPNs and such don’t deal with what attackers are actively even doing these days.
Can you elaborate a bit on the kinds of risks here for non-Windows users? Is it as simple as “install a browser plugin that prevents unencrypted HTTP requests” or is there more to it? My understanding is that even if you do a full DNS takeover all you can do is DoS someone if they’re only making HTTPS and SSH connections.
So first off mDNS/LLMNR exist on Linux and in some cases is/was default enabled, but many of the default bonkers issues like Windows allowing unsigned SMB connections appear to be lessened. As usual with the Linux ecosystem it’s a bit hard to say anything as a whole because of userspace fragmentation, but the DHCPv6 attacks are generally still applicable but the impacts are a bit of /shrug and “it depends”. This is an area I’m actively wanting to do some research in, but has been low on my list because the reality is that most people aren’t using workstations on wireless with Linux. I am also completely unfamiliar with the macOS world, but if memory serves they have the ability to handle mDNS requests too, but fall in a similar category.
In all cases the DNS attacks that you can do like with DNS Rebinding and attacks against other protocols. My anecdotal comment is that most attacks on Linux workstations I do are misconfigurations or over-permission leading to exposure and less “default relay to AD forest take over” bugs.
With these types of attacks on Linux it does probably have an expectation of some knowledge and if you are doing the following I think you will probably be “good enough”:
Block all inbound ports
Disable broadcast protocols that you don’t need
Use a DNS encryption protocol, I still prefer DNSCrypt-Proxy but that seems to be contentious
Use your browser hardening features like have been mentioned here
Wait, including SSH? I’ve got fail2ban on already; do you think that’s insufficient? Not being able to access my laptop from other machines in my house would be a major inconvenience for me. Maybe turning off passwords and switching to keypairs entirely would be better.
Use a DNS encryption protocol, I still prefer DNSCrypt-Proxy but that seems to be contentious
Surely not as contentious as cloudflare’s HTTPS-based DNS? =)
Can you elaborate on what kind of risks an HTTPS-only user faces from unencrypted DNS? Is this mostly about defense in depth?
I am also completely unfamiliar with the macOS world, but if memory serves they have the ability to handle mDNS requests too
Apple’s Stuart Cheshire invented mDNS and DNS-SD, and Apple was the first to use them, under the name Bonjour.
The page you linked to appears to describe a number of bad practices by Windows, such as using mDNS to resolve hostnames outside the .local TLD. So it sounds like what you’re talking about aren’t issues with mDNS but with Windows.
(Also, is it wise for a security expert these days to be unfamiliar with macOS? It’s not exactly a niche platform anymore, and there’s another one you might have heard of called iOS that’s fairly popular and which is nearly identical at the network layer.)
I appreciate the helpful context on the macOS world and some of the history of mDNS. These are issues with mDNS, there is a different between a issue and the impact of an issue. It’s fundamentally about racing a mDNS response on the network, the impact of which is what I am discussing and is much riskier on Windows, not because of mDNS but because of the other protocols that can be coerced via mDNS poisoning.
Is it wise to trust a security expert who knows their expertise or one who pretends to be an expert in all things? I don’t know macOS because I mostly attack network infrastructure and embedded systems. I can count on one hand the amount of times I’ve had macOS systems on an engagement past the workstation networks. Is there a reason that you chose to be uncharitable and sarcastic when framing that last part?
mDNS is not meant to be secure or authoritative; it’s a quick and dirty way to do service discovery on a LAN. On a public network it’s thus less useful than a home or business one, but you might use it to discover printers. From that article it sounds like Windows is using it as an adjunct to regular DNS such that it could hijack looking up a non-local resource, which I would say is a bad misuse, but maybe I misunderstood.
Sorry I came off as sarcastic. I’ve spent much of my career at Apple, and frequently encountered people in the industry whose world view encompassed only Windows and (later on) tangentially Linux and who dismissed Macs, so I get prickly when this comes up. Your earlier post read like general info about end-user devices on LANs, so it wasn’t clear to me that you focus on infrastructure/embedded systems.
What good does it do to attack DNS of someone who only makes HTTPS calls?
Do you mean it could be a problem for requests made outside Firefox, or is there some other risk you’re thinking of, like tricking someone into accepting a self-signed cert?
I have HTTPS-only mode enabled in Firefox, and I rarely hit HTTP sites these days. When a site is blocked, it’s either some really really old archive, or a blog belonging to a tech curmudgeon who deliberately resists having HTTPS.
Which is why I broadcast my own copy of the network with a much stronger AP and flood my target with client disassociate packets. Don’t have to fight attacking client isolation when I’m the AP ;)
macOS (on M1) these days seems to totally ignore disassociate. I gave up on “mesh” at home because of this, and $OFFICE has a slack channel for griping about it since the mac will stick with an AP on the other side of the floor. Security or shitty programming?
Region-locked content is the most compelling reason to use a VPN for most, including myself. Specifically, I needed to get my voter information from the county of my former domicile and I needed a VPN to pretend to be in the US to get the information I needed.
That said, my previous subscription expired and I’ve yet to renew. I’d set up my own at home now, but that still doesn’t fix the region-locking issue.
Funny. I couldn’t use Libera.chat precisely because I was on commercial VPN which was blocked by it. Wikipedia was a mess. At the time I was living in a hotel and its Wi-Fi was straight up blocked as well. But it’s been getting worse where some tech news sites now are using Cloudflare to block people in certain countries just because they want to – and the Cloudflare hegemony meant no matter what I try to access, I’m constantly bombarded with hCAPTCHAs training someone’s AI algo without reimbursement for my time.
Ah, I have an IRC bouncer so my connection to libera.chat doesn’t go directly through the VPN. Interesting they block them, I can see why… sort of.
But what you describe is also my experience with full-time VPN use. Not worth it at all. I just keep it on-hand ready to turn on if something isn’t working right.
I suppose you can get around a lot of IP blocking by running your own, I’ve been down that road before and I wasn’t using it enough to justify it.
Author of the article here: I have to admit that I edited the first sentence of the article after reading the comments here, to better clarify that I’m talking about not using a VPN.
This post is missing a couple of critical components that often get overlooked as the world has got more “web-centric”. I think most people will also notice that a theme here with these attacks is relay attacks:
In the end I mostly agree with the premise (I love working from coffee shops) and folks who take even just a bit of precaution can probably be fine, but the modern state of attacks on networks isn’t really just about “sniffing” or traditional HTTP MitM and a lot of the recommendations about VPNs and such don’t deal with what attackers are actively even doing these days.
Can you elaborate a bit on the kinds of risks here for non-Windows users? Is it as simple as “install a browser plugin that prevents unencrypted HTTP requests” or is there more to it? My understanding is that even if you do a full DNS takeover all you can do is DoS someone if they’re only making HTTPS and SSH connections.
So first off mDNS/LLMNR exist on Linux and in some cases is/was default enabled, but many of the default bonkers issues like Windows allowing unsigned SMB connections appear to be lessened. As usual with the Linux ecosystem it’s a bit hard to say anything as a whole because of userspace fragmentation, but the DHCPv6 attacks are generally still applicable but the impacts are a bit of /shrug and “it depends”. This is an area I’m actively wanting to do some research in, but has been low on my list because the reality is that most people aren’t using workstations on wireless with Linux. I am also completely unfamiliar with the macOS world, but if memory serves they have the ability to handle mDNS requests too, but fall in a similar category.
In all cases the DNS attacks that you can do like with DNS Rebinding and attacks against other protocols. My anecdotal comment is that most attacks on Linux workstations I do are misconfigurations or over-permission leading to exposure and less “default relay to AD forest take over” bugs.
With these types of attacks on Linux it does probably have an expectation of some knowledge and if you are doing the following I think you will probably be “good enough”:
Thanks for the clarification.
Wait, including SSH? I’ve got fail2ban on already; do you think that’s insufficient? Not being able to access my laptop from other machines in my house would be a major inconvenience for me. Maybe turning off passwords and switching to keypairs entirely would be better.
Surely not as contentious as cloudflare’s HTTPS-based DNS? =)
Can you elaborate on what kind of risks an HTTPS-only user faces from unencrypted DNS? Is this mostly about defense in depth?
Instead of “block all inbound”, it should be “whitelist inbound to only the services you are intentionally running”.
Tailscale has a nice ssh implementation that doesn’t require you to allow port 22 from anywhere insecure.
Apple’s Stuart Cheshire invented mDNS and DNS-SD, and Apple was the first to use them, under the name Bonjour.
The page you linked to appears to describe a number of bad practices by Windows, such as using mDNS to resolve hostnames outside the .local TLD. So it sounds like what you’re talking about aren’t issues with mDNS but with Windows.
(Also, is it wise for a security expert these days to be unfamiliar with macOS? It’s not exactly a niche platform anymore, and there’s another one you might have heard of called iOS that’s fairly popular and which is nearly identical at the network layer.)
I appreciate the helpful context on the macOS world and some of the history of mDNS. These are issues with mDNS, there is a different between a issue and the impact of an issue. It’s fundamentally about racing a mDNS response on the network, the impact of which is what I am discussing and is much riskier on Windows, not because of mDNS but because of the other protocols that can be coerced via mDNS poisoning.
Is it wise to trust a security expert who knows their expertise or one who pretends to be an expert in all things? I don’t know macOS because I mostly attack network infrastructure and embedded systems. I can count on one hand the amount of times I’ve had macOS systems on an engagement past the workstation networks. Is there a reason that you chose to be uncharitable and sarcastic when framing that last part?
mDNS is not meant to be secure or authoritative; it’s a quick and dirty way to do service discovery on a LAN. On a public network it’s thus less useful than a home or business one, but you might use it to discover printers. From that article it sounds like Windows is using it as an adjunct to regular DNS such that it could hijack looking up a non-local resource, which I would say is a bad misuse, but maybe I misunderstood.
Sorry I came off as sarcastic. I’ve spent much of my career at Apple, and frequently encountered people in the industry whose world view encompassed only Windows and (later on) tangentially Linux and who dismissed Macs, so I get prickly when this comes up. Your earlier post read like general info about end-user devices on LANs, so it wasn’t clear to me that you focus on infrastructure/embedded systems.
firefox supports https-only mode now: https://support.mozilla.org/en-US/kb/https-only-prefs
that option alone doesn’t do anything to help with DNS though
What good does it do to attack DNS of someone who only makes HTTPS calls?
Do you mean it could be a problem for requests made outside Firefox, or is there some other risk you’re thinking of, like tricking someone into accepting a self-signed cert?
Doesn’t have to be an attack, they can snoop DNS
I have HTTPS-only mode enabled in Firefox, and I rarely hit HTTP sites these days. When a site is blocked, it’s either some really really old archive, or a blog belonging to a tech curmudgeon who deliberately resists having HTTPS.
It’s especially fine if the network has client separation/isolation, which is quite common on most “Guest” networks nowadays.
Which is why I broadcast my own copy of the network with a much stronger AP and flood my target with client disassociate packets. Don’t have to fight attacking client isolation when I’m the AP ;)
macOS (on M1) these days seems to totally ignore disassociate. I gave up on “mesh” at home because of this, and $OFFICE has a slack channel for griping about it since the mac will stick with an AP on the other side of the floor. Security or shitty programming?
If you always use vpn’s… even at home… it’s never an issue :)
I mostly don’t use public wi-fi since it’s often slower than cellular data.. And i live in country where unlimited cellular data is the norm.
Region-locked content is the most compelling reason to use a VPN for most, including myself. Specifically, I needed to get my voter information from the county of my former domicile and I needed a VPN to pretend to be in the US to get the information I needed.
That said, my previous subscription expired and I’ve yet to renew. I’d set up my own at home now, but that still doesn’t fix the region-locking issue.
I was a VPN curmudgeon but have since found a few uses for them, on top of geoblocking:
Also, an extra layer on public wifi isn’t going to hurt even if it is a bit of snakeoil.
Funny. I couldn’t use Libera.chat precisely because I was on commercial VPN which was blocked by it. Wikipedia was a mess. At the time I was living in a hotel and its Wi-Fi was straight up blocked as well. But it’s been getting worse where some tech news sites now are using Cloudflare to block people in certain countries just because they want to – and the Cloudflare hegemony meant no matter what I try to access, I’m constantly bombarded with hCAPTCHAs training someone’s AI algo without reimbursement for my time.
JFYI, we try not to just ban paid VPNs if we can avoid it. Most of them are supposed to be usable if you have an account.
Ah, I have an IRC bouncer so my connection to libera.chat doesn’t go directly through the VPN. Interesting they block them, I can see why… sort of.
But what you describe is also my experience with full-time VPN use. Not worth it at all. I just keep it on-hand ready to turn on if something isn’t working right.
I suppose you can get around a lot of IP blocking by running your own, I’ve been down that road before and I wasn’t using it enough to justify it.
I’ve solved these problems using SSH and socks proxies, which IME are much simpler to set up and use.
I totally agree with this thesis.
You should be using some kind of VPN or tunnel when you’re away from home anyway, and if you are it just doesn’t matter.
did you even read the article?
As a matter of fact I did.
The author talks about running a VPN being not a great plan, because commercial VPN providers, malware, business interests etc.
But I run my own VPN server on commodity infrastructure.
And tbh, I consider that to be Way Good Enough for most people’s purposes.
The article says you shouldn’t use a commercial or free VPN provider; I assume what feoh means is running a VPN server they set up themself.
Author of the article here: I have to admit that I edited the first sentence of the article after reading the comments here, to better clarify that I’m talking about not using a VPN.