Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Attackers could use Internet route hijacking to get fraudulent HTTPS certificates

Lucian Constantin | Aug. 6, 2015
Inherent insecurity in the routing protocol that links networks on the Internet poses a direct threat to the infrastructure that secures communications between users and websites.

Creating a page on the server that hosts the domain is the easiest check to pass by using a BGP hijacking attack. The attacker would need to set up a Web server, create the page, then advertise rogue routes for Facebook's IP address. Those routes will propagate regionally affecting the certificate authority and tricking it into believing the page was actually hosted on Facebook's domain. The CA would then issue the SSL certificate.

The fraudulent, but nevertheless valid digital certificate, could then be used to launch man-in-the-middle attacks against Facebook users anywhere in the world, not just the region where the BGP hijacking happened.

The current digital certificate infrastructure that underpins secure communications on the Web doesn't take routing flaws into consideration, Gavrichenkov said. And because it is built into everything, from desktop computers to embedded devices and mobile phones, it can't be easily changed, he said.

The underlying problem is with the Internet routing protocol and the lack of implementation of recommended security practices. However, the BGP hijacking issue has been known for a very long time and the researcher believes it's unlikely to be fixed anytime soon either.

Efforts like the Certificate Transparency framework proposed by Google, or the certificate pinning mechanisms implemented in some browsers could help detect when rogue certificates are issued, but that's more of a workaround than a fix since they're not widely adopted yet.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.