Using BGP for TLS Certificate Acquisition

Using BGP for TLS Certificate Acquisition
Slide Note
Embed
Share

Digital certificates serve as the root of trust online, but BGP attacks can compromise this trust, leading to interception. Learn about domain control verification and countermeasures.

  • BGP attacks
  • TLS certificates
  • Domain control
  • Interception
  • Countermeasures
aaliah
aaliah Follow

Uploaded on Feb 17, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Using BGP to Acquire Bogus TLS Certificates Henry Birge-Lee, Yixin Sun, Annie Edmundson, Jennifer Rexford, Prateek Mittal

  2. Digital certificates as a root of trust Root of trust on the internet Bootstraps trust on first time connections The keys to all web encryption Trusted Root Certificate Domain of website certificate is valid for The chain of trust validating the public key for fed.princeton.edu

  3. Digital certificates as a root of trust Root of trust on the internet Bootstraps trust on first time connections The keys to all web encryption BGP attacks compromise this root of trust Trusted Root Certificate Domain of website certificate is valid for The chain of trust validating the public key for fed.princeton.edu

  4. Overview Domain control validation BGP Attacks Launching an Interception Attack Countermeasures Takeaways

  5. Domain Control Verification Server at example.com Certificate Authority Owner of example.com

  6. Domain Control Verification Server at example.com Certificate Authority Owner of example.com

  7. Domain Control Verification Server at example.com Server modifications Certificate Authority Owner of example.com

  8. Domain Control Verification Server at example.com Certificate Authority Owner of example.com

  9. Domain Control Verification Server at example.com Certificate Authority Owner of example.com

  10. Where BGP Comes In Server at example.com If an adversary sees this request they can get a certificate Certificate Authority Owner of example.com

  11. Overview Domain control validation BGP Attacks Launching an Interception Attack Countermeasures Takeaways

  12. Original BGP route to victim AS 1 AS containing exmaple.com Certificate Authority AS 2 AS 3 AS 4 Adversary

  13. Original BGP route to victim I own 2.2.2.2/23 AS 1 AS containing exmaple.com Certificate Authority AS 2 AS 3 AS 4 Adversary

  14. BGP route to victim under attack I own 2.2.2.2/23 AS 1 AS containing exmaple.com Certificate Authority AS 2 AS 3 AS 4 I own 2.2.2.2/24 Adversary

  15. BGP route to victim under attack I own 2.2.2.2/23 AS 1 AS containing exmaple.com goes to adversary Certificate Authority HTTP GET example.com/verify.html AS 2 AS 3 AS 4 I own 2.2.2.2/24 Adversary

  16. BGP route to victim under attack I own 2.2.2.2/23 AS 1 AS containing exmaple.com exmaple.com AS containing Routers prefer more specific announcements Certificate Authority Everyone sees announcements AS 2 AS 3 AS 4 Connectivity Broken Not very stealthy I own 2.2.2.2/24 Adversary

  17. A local (equally-specific prefix) attack I own 2.2.2.2/23 AS 5 AS 1 AS containing exmaple.com AS 3 AS 4 Certificate Authority I own 2.2.2.2/23 Adversary A. Gavrichenkov. Breaking HTTPS with BGPhijacking. Black Hat USA Briefings, 2015

  18. A local (equally-specific prefix) attack I own 2.2.2.2/23 AS 5 AS 1 AS containing exmaple.com Unaffected portion Intercepted portion AS 3 AS 4 Certificate Authority I own 2.2.2.2/23 Adversary A. Gavrichenkov. Breaking HTTPS with BGPhijacking. Black Hat USA Briefings, 2015

  19. A local (equally-specific prefix) attack I own 2.2.2.2/23 AS 5 AS 1 AS containing exmaple.com Equally specific announcements compete for traffic Announcement localized AS 3 AS 4 Local broken connectivity Certificate Authority Potentially stealthy I own 2.2.2.2/23 Adversary A. Gavrichenkov. Breaking HTTPS with BGPhijacking. Black Hat USA Briefings, 2015

  20. A local (equally-specific prefix) attack I own 2.2.2.2/23 AS 1 AS containing exmaple.com Equally specific announcements compete for traffic Certificate Authority Announcement localized AS 2 AS 3 AS 4 Local broken connectivity Potentially stealthy Not all ASes can perform I own 2.2.2.2/23 Adversary A. Gavrichenkov. Breaking HTTPS with BGPhijacking. Black Hat USA Briefings, 2015

  21. AS path poisoning I own 2.2.2.2/23 AS 1 AS containing exmaple.com Certificate Authority AS 2 AS 3 AS 4 I can get to 2.2.2.2/24 through AS 4 Adversary

  22. AS path poisoning I own 2.2.2.2/23 AS 1 Everyone sees announcement but looks less suspicious AS containing exmaple.com Certificate Authority Connectivity preserved AS 2 AS 3 AS 4 Almost any AS can perform Very stealthy I can get to 2.2.2.2/24 through AS 4 Perfect setup to intercept traffic with certificate Adversary

  23. Overview Domain control validation BGP Attacks Launching an Interception Attack Countermeasures Takeaways

  24. Experimental Setup Control IP block 184.164.226.0/23 Set up victim website https://ctgen2.tkwith valid certificate Ran ping and HTTPS clients Established BGP sessions from adversarial AS

  25. Demonstration: Launching an Interception Attack Interception demo v2.mov

  26. Results from real world attacks GoDaddy Comodo Symantec GlobalSign Let s Encrypt Time to issue certificate 35 seconds < 2 min < 2 min < 2 min < 2 min Human interaction No No No No No Multiple Vantage Points No No No No No Validation Method Attacked HTTP HTTP Email Email Email

  27. Results from real world attacks GoDaddy Comodo Symantec GlobalSign Let s Encrypt Time to issue certificate 35 seconds < 2 min < 2 min < 2 min < 2 min Human interaction No No No No No All studied CAs were vulnerable Multiple Vantage Points No No No No No Validation Method Attacked HTTP HTTP Email Email Email

  28. Overview Domain control validation BGP Attacks Launching an Interception Attack Countermeasures Takeaways

  29. Countermeasures Fix the problem at the CA n(clients) >> n(websites) >> n(CAs) Multiple vantage points: make announcement global Route age: give network operators time to respond Engaging with Let s Encrypt and Symantec Developing open source implementation

  30. Overview Domain control validation BGP Attacks launching an Interception Attack Countermeasures Takeaways

  31. Takeaways Digital certificates are the foundation of secure internet communications Almost any BGP speaking router can get a certificate for any domain Adversary could begin intercepting TLS connections in 35 seconds CAs must implement countermeasures soon BGPsec just as important in the world of PKI/TLS

  32. Questions?

Related


Buy GOETHE certificate Online - desechtedokument.com

Buy GOETHE certificate Online - desechtedokument.com

Portersa
How to get an Agriculture income certificate through online

How to get an Agriculture income certificate through online

OBCRIGHTS
ways to get Nativity certificate in online in Tamil Nadu

ways to get Nativity certificate in online in Tamil Nadu

OBCRIGHTS
The First Graduation Certificate application needs documents

The First Graduation Certificate application needs documents

OBCRIGHTS
where to get a Family Migration Certificate in Tamil Nadu

where to get a Family Migration Certificate in Tamil Nadu

OBCRIGHTS
How to get an Unemployment Certificate online in Tamil Nadu

How to get an Unemployment Certificate online in Tamil Nadu

OBCRIGHTS
Widow Certificate application needed documents in Tamil Nadu

Widow Certificate application needed documents in Tamil Nadu

OBCRIGHTS
How to get Small Marginal Farmer Certificate in Tamil Nadu

How to get Small Marginal Farmer Certificate in Tamil Nadu

OBCRIGHTS
How and where to get Unmarried Certificate In Tamil Nadu

How and where to get Unmarried Certificate In Tamil Nadu

OBCRIGHTS
Eligibility to obtain Destitute Widow Certificate Tamil Nadu

Eligibility to obtain Destitute Widow Certificate Tamil Nadu

OBCRIGHTS
Birth Certificate Attestation- Services in Qatar

Birth Certificate Attestation- Services in Qatar

Raju
TLS v1.3: Enhancing Round-Trip Times and SSL Configuration

TLS v1.3: Enhancing Round-Trip Times and SSL Configuration

mohammed
Enhancing Security with Hardware Attestation in TLS

Enhancing Security with Hardware Attestation in TLS

alissa
A New Approach to TLS Inspection

A New Approach to TLS Inspection

aviend
DANE, DNSSEC, and TLS in Go6Lab

DANE, DNSSEC, and TLS in Go6Lab

kasz640
BGP and DNS Worms in Network Security

BGP and DNS Worms in Network Security

euey175
TLS/SSL: Security, Attacks, and TLS 1.3

TLS/SSL: Security, Attacks, and TLS 1.3

otts_oel
Transport Layer Security (TLS) and Secure Sockets Layer (SSL)

Transport Layer Security (TLS) and Secure Sockets Layer (SSL)

ambell
TLS Freight Forwarding Pvt Ltd: Your Business Partner for Complete Logistics & Supply Chain Solutions

TLS Freight Forwarding Pvt Ltd: Your Business Partner for Complete Logistics & Supply Chain Solutions

rayl_9
Evolution of BGP: Expectations vs. Reality in Protocol Development

Evolution of BGP: Expectations vs. Reality in Protocol Development

fhess
BGP Basics and Routing Security

BGP Basics and Routing Security

cobe_53
Evolution of TLS Security Profiles and Best Practices

Evolution of TLS Security Profiles and Best Practices

antwine_m

More Related Content