[cotillion]

You are most likely vulnerable to some extent, protection has to be done by your ISP.

In this case it seems like the attackers targeted an SDK. Subresource integrity would have helped here.

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

[armada651]

It would not have prevented it, because they could've just as easily attacked the server that serves the HTML instead of the CDN that served the JS.

[cotillion]

No, klayswap.com has CAA configured in DNS.

[armada651]

Then it sounds like a misconfiguration after all? Because that would mean they didn't configure CAA for their CDN.

In any case they could've hijacked the IP for the authorative DNS server, but that would at least add some complexity.

Also, this assumes their CA actually did their due diligence and the hackers didn't just fool them into reissuing the certificate to them.

[ianpurton]

I think the CDN has to configure CAA.

So if your site pulls in js from another site without sub resource integrity, and the other site doesn't have CAA configured you are vulnerable.

[NovemberWhiskey]

It's not enough for everyone involved to have CAA enabled. They need to have CAA enabled and to select a certificate authority that does effective domain ownership validation, which - as the article suggests - means (at minimum) multiple-origin checking of network-based challenge protocols like HTTP-01.

Personally, I think anyone who has a heightened attack risk ought to contemplate a CA that does some form of more thorough validation.

[ianpurton]

Yes I saw they attacked the sub domain holding the javascript (developers.kakao.com), but could they have also attacked the main domain?

Sub resource integrity wouldn't help if they could have re-routed requests from klayswap.com