[cabf_validation] BGP attacks on Validation

Tim Hollebeek tim.hollebeek at digicert.com
Tue Aug 21 11:46:57 MST 2018


I am happy to announce that the researchers have accepted my invitation to
presenting their results to the Validation WG at our September the 13th
meeting.

 

-Tim

 

From: Validation <validation-bounces at cabforum.org> On Behalf Of Tim
Hollebeek via Validation
Sent: Monday, August 20, 2018 11:23 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Henry Birge-Lee <birgelee at princeton.edu>
Subject: [cabf_validation] BGP attacks on Validation

 

 

I'd like to draw the attention of Certificate Authorities to the following
excellent paper that was presented last week at USENIX Security:

 

https://www.princeton.edu/~pmittal/publications/bgp-tls-usenix18.pdf

 

Abstract

 

"The Public Key Infrastructure (PKI) protects users from malicious
man-in-the-middle attacks by having trusted Certificate Authorities (CAs)
vouch for the domain names of servers on the Internet through digitally
signed certificates. Ironically, the mechanism CAs use to issue certificates
is itself vulnerable to man-in-the-middle attacks by network-level
adversaries. Autonomous Systems (ASes) can exploit vulnerabilities in the
Border Gateway Protocol (BGP) to hijack traffic destined to a victim's
domain. In this paper, we rigorously analyze attacks that an adversary can
use to obtain a bogus certificate. We perform the first real-world
demonstration of BGP attacks to obtain bogus certificates from top CAs in an
ethical manner. To assess the vulnerability of the PKI, we collect a dataset
of 1.8 million certificates and find that an adversary would be capable of
gaining a bogus certificate for the vast majority of domains. Finally, we
propose and evaluate two countermeasures to secure the PKI: 1) CAs verifying
domains from multiple vantage points to make it harder to launch a
successful attack, and 2) a BGP monitoring system for CAs to detect
suspicious BGP routes and delay certificate issuance to give network
operators time to react to BGP attacks."

 

-Tim

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180821/0a6aaadc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180821/0a6aaadc/attachment.p7s>


More information about the Validation mailing list