0

I just received an email from AWS re Certificate request for [my personal domain].

This email asked me to approve this request with a link or forward to a AWS email for validation.

Needless to say this request for the cert did not originate for me or anyone acting on my behalf.

I am posting here as I have never encountered a situation like this, I dont have any vocabulary to put this kind of attack in context, it seems tangential to a social engineering in the sense I dont see how it could be used in a social engineering attack.
I am in the dark and at a loss for how to even google for information about the context for this kind of attack.

My specific question is

what could the perpetrators of this attack achive if they were able to obtain an aws cert for my domain.

Edit: This is not the PKI keys you use for ssh, rather this is a certificate you would use with an aws service like cloudfront

Improve this question

1 Answer 1

Reset to default
1

One of the protections people have against someone spoofing their domain is the cert. If you have HSTS turned on your domain, your users will always expect to see a proper certificate when visiting your site -- more specifically the browser will always expect a certificate on the TLS connection. Hence unless an attacker can get access to a 'proper' cert, browsers will always complain about the site to your users, in some cases forcefully prevent them from accessing it.

Initially I wondered, even with a cert, an attacker wouldn't be able to spoof your site unless they had access to modify your DNS records. But then there are scenarios (e.g. in a closed network, a coffeeshop, etc) where an attacker could control the DNS lookups -- and the only missing piece they'd need is the certificate to properly spoof your site. It's a stretch but possible.

I guess in summary, we can imagine someone redirecting users to a spoof-ed version of your website, but they'll still need a proper certificate, which might be what they're looking for here.

That being said -- this is most probably just someone making a typo on a domain rather than a specific attack.

Improve this answer
1
  • thanks for the info re HSTS, the header is not currently set, so that's an issue I can address as a direct result of your answer
    – Nigel Savage
    Commented Oct 3, 2021 at 9:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .