Internet performance and security firm Cloudflare on Tuesday announced the availability of a free API designed to help certificate authorities (CAs) securly issue certificates by ensuring that malicious actors cannot complete the domain control validation process via BGP hijacking and DNS spoofing attacks.
When an entity requests a certificate for their website, they are required to complete a domain control validation (DCV) process that proves their are the legitimate owner of the domain. This process can involve creating a specific DNS resource record, uploading a document to the server linked to the domain, or prove ownership of the domain’s administrative email account.
However, a team of researchers demonstrated recently that CAs can be “bamboozled” with Border Gateway Protocol (BGP) attacks. They successfully reproduced their attack methods against Let’s Encrypt, Comodo, Symantec, GoDaddy and GlobalSign.
Threat actors can also fraudulently complete the verification process using DNS spoofing attacks.
BGP hijacking and DNS spoofing allow hackers to reroute the requests sent by the CA during the validation process to a domain they control instead of the legitimate domain.
Once an attacker has obtained a bogus certificate for the targeted domain, they can pose as the victim and intercept encrypted traffic. The misissued certificate can be detected by CAs using Certificate Transparency logs, but it can take many hours for the rogue certificates to be added to these logs and for web browser to take action.
Cloudflare’s new tool aims to proactively address the risk of certificates issued through fraudulent DCV by using the company’s vast network to perform the DCV process from multiple locations around the world.
“Given that Clo ..
Support the originator by clicking the read the rest link below.
