Bamboozling Certificate Authorities with BGP

AS path poisoning attack demonstration Results from real world attacks Let's Encrypt GoDaddy Comodo Symantec* GlobalSign Time to issue certificate 35 seconds < 2 min < 2 min < 2 min < 2 min Human interaction No No No No No Multiple Vantage Points Not yet No No No No Validation Method Attacked HTTP HTTP Email Email Email *At time of experiments Symantec was still a trusted CA Results from real world attacks Let's Encrypt GoDaddy Comodo Symantec GlobalSign Time to issue certificate 35 seconds < 2 min < 2 min < 2 min < 2 min Human interaction No No No No No Multiple Vantage Points No No No No No Validation Method Attacked HTTP HTTP Email Email Email All studied CAs were vulnerable *At time of experiments Symantec was still a trusted CA Additional Attacks • More targets: ○ Authoritative DNS servers ○ Mail servers Certificate