Bamboozling Certificate Authorities with BGP Henry Birge-Lee Yixin Sun Anne Edmundson Princeton University Princeton University Princeton University Jennifer Rexford Prateek Mittal Princeton University Princeton University Abstract cates for domains they do not control. Domain control verification is performed through a standardized set of The Public Key Infrastructure (PKI) protects users from methods including http-based and email-based verifica- malicious man-in-the-middle attacks by having trusted tion [18]. Certificate Authorities (CAs) vouch for the domain Recently, researchers have exposed several flaws names of servers on the Internet through digitally signed in existing domain control verification mechanisms. certificates. Ironically, the mechanism CAs use to issue WoSign was found issuing certificates to users that could certificates is itself vulnerable to man-in-the-middle at- demonstrate control of any TCP port at a domain (in- tacks by network-level adversaries. Autonomous Sys- cluding those above 50,000) as opposed to strictly requir- tems (ASes) can exploit vulnerabilities in the Border ing control of traditional mail, HTTP, and TLS ports [3]. Gateway Protocol (BGP) to hijack traffic destined to a In addition, researchers have found instances of CAs victim’s domain. In this paper, we rigorously analyze sending domain control verification requests to email ad- attacks that an adversary can use to obtain a bogus cer- dresses that belong to ordinary users at a domain as op- tificate. We perform the first real-world demonstration posed to bona fide administrators [1]. In response, coun- of BGP attacks to obtain bogus certificates from top CAs termeasures are being developed such as standardizing in an ethical manner. To assess the vulnerability of the which URLs on a domain’s web server can serve to ver- PKI, we collect a dataset of 1.8 million certificates and ify control of that domain [11]. find that an adversary would be capable of gaining a bo- While these advances can defend against some attacks, gus certificate for the vast majority of domains. Finally, none of them help to secure domain control verification we propose and evaluate two countermeasures to secure against network-level adversaries, i.e., Autonomous Sys- the PKI: 1) CAs verifying domains from multiple van- tem (AS), that can manipulate the Border Gateway Pro- tage points to make it harder to launch a successful at- tocol (BGP). Such adversaries can launch active BGP hi- tack, and 2) a BGP monitoring system for CAs to detect jack and interception attacks to steal traffic away from suspicious BGP routes and delay certificate issuance to victims or CAs, and spoof the domain control verifica- give network operators time to react to BGP attacks. tion process to obtain bogus certificates. In this paper, we first analyze and compare BGP at- 1 Introduction tacks on the domain verification process to develop a tax- onomy and present a highly effective use of the “AS-path Digital certificates serve as the foundation of trust in en- poisoning” attack originally performed in [39]. Next, we crypted communication. When a Certificate Authority launch all the BGP attacks against our own domain and (CA) is asked to sign a certificate, the CA must estab- decrypt seemingly “secure” HTTPS traffic within sec- lish that the client requesting the certificate is the legit- onds. To avoid harming real users, these attacks were imate owner of the domain name in question. An ad- done in an ethical manner on domains that resolve into versary that obtains a trusted certificate can pose as the our own IP prefix and were registered solely for the pur- victim’s domain and intercept/modify sensitive HTTPS pose of the experiments. We then quantify the vulner- traffic like bank logins and credit card information [24]. ability of domain verification to these attacks. Finally, The mechanism used by CAs to verify domain owner- we propose countermeasures against these attacks. Our ship, known as domain control verification, is critical main contributions are as follows: to preventing adversaries from obtaining trusted certifi- Active BGP Attacks on Domain Verification Pro- cess: We performed five types of real-world BGP attacks 2 BGP Attacks on the PKI (against a domain we owned running on an IP prefix we controlled) during the domain verification process: The Public Key Infrastructure (PKI) requires that all cer- 1) a traditional BGP sub-prefix attack, 2) a traditional tificates be signed by a trusted certificate authority (CA). BGP equally-specific-prefix attack (like the attack theo- Browsers and any other TLS clients maintain lists of pub- rized in [22]), 3) a prepended BGP sub-prefix attack, 4) licly trusted CAs. 135 organizations were recognized as a prepended BGP equally-specific-prefix attack, and 5) commercial CAs (other CAs, such as the government of a BGP AS-path poisoning attack (see section 2.2 for de- France, will not accept certificate signing requests from tails about these attacks). the general public) [20]. Any CA is capable of signing a We are the first to demonstrate the use of the certificate for any domain. prepended and AS-path poisoning attacks on the PKI, Domain Control Verification. In order to verify that and the first to perform any of these attacks during the an applicant requesting a certificate has control of the do- domain verification process in the wild. We successfully main in question, the CA must perform domain control obtained bogus certificates from all of the top five CAs verification through a set of methods. Each method boot- (Let’s Encrypt, GoDaddy, Comodo, Symantec, Global- straps trust by forcing a user to demonstrate control of an Sign) [8] in our real-world attacks. Our results were a important network resource (e.g., a website or email ad- major factor in Let’s Encrypt’s decision to start deploy- dress) associated with the domain. Figure 1 illustrates ing the multiple-vantage-point countermeasure [37]. the domain control verification process with HTTP veri- Quantify vulnerability of domains: We collected a fication, which requires the user to make an agreed upon dataset of 1.8 million certificates from Google’s Certifi- change to the root directory of the website running at the cate Transparency project logs [32] and studied the do- domain. Another commonly used method is email veri- mains requesting those certificates. By observing the fication, by which an email is sent to an administrator’s number of domains run out of IP prefixes shorter than 24 email address at the domain, requiring the administrator bits long (/24), we found that 72% of the domains were to visit a randomly generated URL before continuing. vulnerable to BGP sub-prefix hijack attacks and BGP Other methods include DNS TXT verification or meth- AS-path poisoning attacks, which could allow any AS ods that do not rely on communication via the Internet to get a certificate for these domains. Furthermore, the (e.g., official letters of authorization). domains were vulnerable to BGP equally-specific-prefix attacks from an average of 70% of ASes. Countermeasures against BGP attacks: We pro- posed and developed two countermeasures to mitigate the threat of BGP attacks: multiple vantage point veri- fication and a live BGP monitoring system. • Multiple Vantage Point Verification: We propose to perform domain control verification from multi- ple locations on the Internet (vantage points) to pre- vent localized BGP attacks. We calculate the best locations for vantage points and quantify the result- ing security benefit. • Live BGP Monitoring System: We design and im- plement (in the Let’s Encrypt’s CA) a monitoring system with a novel route age heuristic to prevent Figure 1: HTTP domain control verification. short-lived BGP attacks [19] that can quickly lead to a bogus certificate before the attack is noticed. BGP Attacks on Domain Control Verification. The Our heuristic is designed for CAs and forces adver- domain control verification process creates a vulnerabil- saries to keep attacks active for several hours, giving ity to network-level adversaries who can fake control of network operators time to react. the network resources in step (5) and (6) in Figure 1. An Some of the BGP attacks were briefly discussed in a adversary can send a certificate signing request for a vic- short abstract [16]. In this paper, we go further by an- tim’s domain to a CA. When the CA verifies the network alyzing the complete attack surface of BGP attacks on resources via an HTTP GET request in step (5), the ad- PKI and performing all the attacks in the wild — with versary can use BGP attacks to hijack/intercept the traffic success. We also measure the vulnerability of the current to the victim’s domain such that the CA’s request will be PKI to these attacks, and propose/evaluate two effective routed to the adversary instead. The adversary can then countermeasures to defend against the attacks. answer the CA’s HTTP request in step (6) and present the document required for domain control verification. IP address of the victim’s domain, or the IP address of Our key contribution in this section is to explore the any DNS server involved in resolving the victim’s do- broad BGP attack surface that can be used to obtain a main to give a bogus DNS response to the CA. This will bogus TLS certificate in the above process. We first de- cause the CA to request the verification webpage from velop an adversary model, and then explore five types the adversary as opposed to the victim. of BGP attacks. In particular, we propose and analyze an In addition, it is possible for the adversary to attack advanced and stealthy AS-path poisoning attack, that can a CA’s IP address.