Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Attackers could use Internet route hijacking to get fraudulent HTTPS certificates

Lucian Constantin | Aug. 6, 2015
Inherent insecurity in the routing protocol that links networks on the Internet poses a direct threat to the infrastructure that secures communications between users and websites.

Inherent insecurity in the routing protocol that links networks on the Internet poses a direct threat to the infrastructure that secures communications between users and websites.

The Border Gateway Protocol (BGP), which is used by computer network operators to exchange information about which Internet Protocol (IP) addresses they own and how they should be routed, was designed at a time when the Internet was small and operators trusted each other implicitly, without any form of validation.

If one operator, or autonomous system (AS), advertises routes for a block of IP addresses that it doesn't own and its upstream provider passes on the information to others, the traffic intended for those addresses might get sent to the rogue operator.

Such incidents are called BGP hijacking, when done intentionally by a malicious actor, or route leaking, when caused by human error or misconfiguration, and are increasingly common. Their impact can be local or global, depending on their particular circumstances.

While there are best security practices that could prevent such incidents, they are not implemented by all network operators around the world. The networks where these security practices are not implemented are also the ones that are most likely to have vulnerable border gateway routers that hackers could attack.

At the Black Hat security conference in Las Vegas Wednesday there were two talks dedicated to BGP hijacking, highlighting the importance of this topic to the security community. In one of them, a Russian security researcher, named Artyom Gavrichenkov, showed how attackers could perform a BGP hijacking attack that would affect only a small geographic region, but which could help them trick a certificate authority to issue a valid certificate for a domain name they don't own.

In order for this to work, the attackers would need to pick a target website whose IP address is part of an AS located in a different region of the world. For example attackers in Asia could decide to target Facebook. They would then need to pick a local certificate authority (CA) that is very close to the rogue autonomous system from where the attack will originate.

The goal of the attack would be to make the certificate authority's ISP believe that Facebook's IP address is owned by the rogue AS instead of Facebook's real AS. The goal of picking a far away target is to lower the chances that the real AS will notice the hijacking -- essentially that a small portion of the Internet believes Facebook is part of a different network.

The process of obtaining a TLS certificate for a domain involves proving that the person who requested the certificate has control of the domain name. This check can be done in an automated manner in several ways: by uploading a special CA-provided page to the server where the domain name is hosted so that the CA can check if it exists, by sending an email to the email address listed in the domain's WHOIS record or by creating a Domain Name System TXT record for the domain. Only one of these methods is enough to confirm ownership.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.