Transcription
Bamboozling CertificateAuthorities with BGPHenry Birge-Lee, Yixin Sun, Anne Edmundson,Jennifer Rexford, Prateek Mittal
Digital certificates as a root of trust Root of trust on the internet Bootstraps trust on first time connections The keys to all web encryption
Digital certificates as a root of trust Root of trust on the internet Bootstrapson firstProtocoltime connectionsBorder trustGateway(BGP) attacks The keys to all web encryptioncompromise this root of trust
Overview Domain Control ValidationBGP AttacksQuantifying VulnerabilityCountermeasuresTakeaways
Domain Control VerificationCertificate AuthorityServer at example.comCould(Cer I get actificate S ertificateigning Re for examquesple.ct)om?Owner of example.com
Domain Control VerificationServer at example.comUploa(Dom d contain C ent toeontrol Ver xample.ification com/veriChaCertificate Authoritylleng fy.htmle)Owner of example.com
Domain Control VerificationServer at example.comServer modificationsCertificate AuthorityOwner of example.com
Domain Control VerificationServer at example.comtmlify.hrev/.comHTTPCertificate AuthorityamplexeTGEI didit!Owner of example.com
Domain Control VerificationServer at example.comtent HTTPHerei200s yoCertificate AuthorityconOK: ur certificateOwner of example.com
Where BGP Comes InServer at example.comIf an adversary can hijack this requestwith BGP, it can generate a ate Authority2tent Adversary’snoc :00 OKserverI didit!Adversary posing asowner of example.com
Overview Domain Control ValidationBGP AttacksQuantifying VulnerabilityCountermeasuresTakeaways
Original BGP route to victimAS 1AS containingexample.comCertificateAuthorityAS 2AS 3AdversaryAS 4
Original BGP route to victimI own 2.2.2.0/23AS 1AS containingexample.comCertificateAuthorityAS 2AS 3AdversaryAS 4
BGP route to victim under sub-prefix attackI own 2.2.2.0/23AS 1AS containingexample.comCertificateAuthorityAS 2AS 3AS 4I own sub-prefix 2.2.2.0/24Adversary
BGP route to victim under sub-prefix attackI own 2.2.2.0/23AS 1AS containingHTTP GETexample.com/verify.htmlexmaple.comgoes to adversaryCertificateAuthorityAS 2AS 3AS 4I own sub-prefix 2.2.2.0/24Adversary
BGP route to victim under sub-prefix attackI own 2.2.2.0/23AS 1AS containingexample.comCertificateAuthorityAS 2AS 3AS 4 Routers prefer morespecific announcements Global visibility Connectivity broken Not very stealthyI own sub-prefix 2.2.2.0/24Adversary
A local (equally-specific prefix) attackAS 5I own 2.2.2.0/23AS 1AS containingexample.comAS 3AS 4CertificateAuthorityI own 2.2.2.0/23AdversaryA. Gavrichenkov. Breaking HTTPS with BGP hijacking. Black Hat USA Briefings, 2015
A local (equally-specific prefix) attackAS 5I own 2.2.2.0/23AS 1AS containingexample.comUnaffected portionHijacked portionAS 3AS 4CertificateAuthorityI own 2.2.2.0/23AdversaryA. Gavrichenkov. Breaking HTTPS with BGP hijacking. Black Hat USA Briefings, 2015
A local (equally-specific prefix) attackAS 5I own 2.2.2.0/23AS 1AS containingexample.comAS 3AS 4CertificateAuthority Equally specificannouncements competefor traffic Announcement localized Local broken connectivity Potentially stealthyI own 2.2.2.0/23AdversaryA. Gavrichenkov. Breaking HTTPS with BGP hijacking. Black Hat USA Briefings, 2015
A local (equally-specific prefix) attackI own 2.2.2.0/23AS 1AS containingexample.comCertificateAuthorityAS 2AS 3AS 4 Equally specificannouncements competefor traffic Announcement localized Local broken connectivity Potentially stealthy Not all ASes can performI own 2.2.2.0/23AdversaryA. Gavrichenkov. Breaking HTTPS with BGP hijacking. Black Hat USA Briefings, 2015
AS path poisoningI own 2.2.2.0/23AS 1AS containingexample.comCertificateAuthorityAS 2AS 3AdversaryAS 4I can get to 2.2.2.0/24through AS 4
AS path poisoningI own 2.2.2.0/23AS 1AS containingexample.comCertificateAuthorityAS 2AS 3AdversaryAS 4 Everyone seesannouncement but looksless suspicious Connectivity preserved Almost any AS canperform Very stealthyI can get to 2.2.2.0/24 through AS 4Perfect setup to intercepttraffic with certificate
Ethical framework for launching real-world attacks Hijack only our own prefixes Domains run on our own prefixes No real users attacked Approached trusted CAs for certificates
AS path poisoning attack demonstration
Results from real world attacksLet’s EncryptGoDaddyComodoSymantec*GlobalSignTime to issuecertificate35 seconds 2 min 2 min 2 min 2 Not ailEmail*At time of experiments Symantec was still a trusted CA
Results from real world attacksLet’s EncryptGoDaddyComodoSymantecGlobalSignTime to issuecertificate35 seconds 2 min 2 min 2 min 2 ilEmailAll studied CAs were vulnerable*At time of experiments Symantec was still a trusted CA
Additional AttacksCertificate More targets:Authority Authoritative DNS servers Mail serversBGPAdversaryBGPAdversaryDNS
Additional AttacksCertificate More targets:AuthorityBGPAdversary Authoritative DNS serversBGP Mail serversAdversary Attacking CA prefixes: Reverse (victim domain - CA) traffic alsovulnerableCertificateAuthorityBGP AdversaryDNS
Overview Domain Control ValidationBGP AttacksQuantifying VulnerabilityCountermeasuresTakeaways
Quantifying Vulnerability How many domains are vulnerable? How many adversaries can launch attacks?
Quantifying Vulnerability How many domains are vulnerable? How many adversaries can launch attacks? 1.8 million certificates via Certificate Transparency Common names resolved to IPs Recorded the BGP routes used for IPs at time of signing
Vulnerability of domains: sub-prefix attacks Any AS canlaunch Only prefixlengths lessthan /24vulnerable
Vulnerability of domains: sub-prefix attacks Any AS canlaunch Only prefixlengths lessthan /24vulnerable(filtering)28% of Domains Unaffected72% of Domains Vulnerable
Resilience to equally-specific prefix attacksAS 5I own 2.2.2.0/23AS 1AS containingexmaple.comUnaffected portionHijacked portionAS 3AS 4CertificateAuthorityAffectedI own 2.2.2.0/23AdversaryLad et al., “Understanding resiliency of Internet topology against prefix hijack attacks”, IEEE DSN, 2007
Resilience to equally-specific prefix attacksI own 2.2.2.0/23AS 1AS Unaffected portionHijacked portionAS 2AS 3AS 4I own 2.2.2.0/23AdversaryLad et al., “Understanding resiliency of Internet topology against prefix hijack attacks”, IEEE DSN, 2007
Resilience to equally-specific prefix attacksI own 2.2.2.0/23AS 1AS Unaffected portionHijacked portionAS 2AS 3AS 4 Probabilitya CA willbe resilientto attacksI own 2.2.2.0/23on aAdversaryLad et al., “Understanding resiliency of Internet topology against prefix hijack attacks”,domainIEEE DSN, 2007
Resilience of domains assuming random CA
Resilience of domains assuming random CAMedianMedian resilience is .5743% chance of attackviability
Choosing an affected CAI own 2.2.2.0/23AS 1AS containingexample.comCA 1Unaffected portionHijacked portionAS 3AS 4CA 2I own 2.2.2.0/23Adversary Around 100CAs Any one cansign any fordomain
Vulnerability of Domains: Equally-specific attacks
Vulnerability of Domains: Equally-specific attacksMedianMedian resiliencedrops from .57 to .2575% chance of attackviability
Overview Domain Control ValidationBGP AttacksQuantifying VulnerabilityCountermeasuresTakeaways
Multiple Vantage PointsAS 5I own 2.2.2.0/23AS 1AS containingexmaple.comUnaffected portionHijacked portionAS 3AS 4CertificateAuthorityI own 2.2.2.0/23Adversary
Multiple Vantage PointsI own 2.2.2.0/23AS 1Remote VantagePointAS containingexmaple.comUnaffected portionHijacked portionAS 3AS 4CertificateAuthorityI own 2.2.2.0/23Adversary
Multiple Vantage PointsI own 2.2.2.0/23AS 1Remote VantagePointAS containingexmaple.comUnaffected portionHijacked portionAS 3AS 4CertificateAuthorityI own 2.2.2.0/23Adversary Only signcertificateif allvantagepoints andCA agree
Multiple Vantage Points Key factor influencing Let’s Encrypts staging deployment Full deployment coming soon3 Remote Vantage Points in AS 16509123Data Center in AS 13649
Resilience Improvement of Multiple Vantage PointsResilience computed using Let’s Encrypt data center and optimally locatedadditional vantage points
Resilience Improvement of Multiple Vantage PointsResilience computed using Let’s Encrypt data center and optimally locatedadditional vantage pointsMedianMedian resilienceimproves from .60to .95
Other Defenses CAs: BGP Monitoring CA Prefix Length CA Resilience Domains: CAA DNS Records DNSSEC
Overview Domain Control ValidationBGP AttacksQuantifying VulnerabilityCountermeasuresTakeaways
Takeaways
TakeawaysNext BGP phishing attack themalicious certificate might be trusted!
Takeaways CAs bootstrap trust on the internet through digital certificates The majority of domains and CAs are vulnerable CAs must implement countermeasures soon Secure routing (i.e., BGPsec, RPKI, SCION) is still important evenwith end-to-end encryptionThanks to support fromMore information at https://secure-certificates.princeton.edu/
Takeaways Questions?CAs bootstrap trust on the internet through digital certificates The majority of domains and CAs are vulnerable CAs must implement countermeasures soon Secure routing (i.e., BGPsec, RPKI, SCION) is still important evenwith end-to-end encryptionThanks to support fromMore information at https://secure-certificates.princeton.edu/
The keys to all web encryption Border Gateway Protocol (BGP) attacks compromise this root of trust. Overview Domain Control Validation BGP Attacks . HTTP HTTP Email Email Email *At time of experiments Symantec was still a trusted CA. Results from real world attacks Let's Encrypt GoDaddy Comodo Symantec GlobalSign Time to issue