A Security shortcoming in the mechanism used by Let’s Encrypt to validate web domain ownership create a loophole that allow cybercriminals to get digital certificates for domains more easily.
A team of researchers led by Haya Shulman, director of the Cybersecurity Analytics and Defences department at the Fraunhofer Institute for Secure Information Technology in Germany, discovered a hacking technique that allowed them to circumvent Let’s Encrypt domain validation technology.
Let’s Encrypt is a non-profit certificate authority that provides domain owners with SSL certificates, which are used to authenticate sites using HTTPS.
The organization’s distributed domain validation technology, introduced in February 2020, in response to earlier Border Gateway Protocol-based hijacking attacks, is designed to thwart one form of manipulator-in-the-middle attacks.
Shulman and her team showed that the technology was vulnerable to a form of downgrade attack, partly because the way “vantage points select the nameservers in target domains can be manipulated by a remote adversary”.
Another weakness of the technology is that vantage points are selected from a small, fixed set of just four cloud-based systems.
The research was presented during a session at the Black Hat USA conference on Wednesday (August 5).
The downgrade attacks act to undermine a system with “multiple vantage points to multiple nameservers” by reducing it to “multiple vantage points to a single attacker-selected nameserver”. The system is tricked into using a specific nameserver by introducing high latency into connections to other validation nodes.
In controlled tests, the researchers found that attackers were able to launch attacks against one in four (24.53%) of domains.
An automated off-path attack developed by the researchers and targeting this vulnerable sub-set of domains succeeded in obtaining fraudulent certificates for more than 107,000 domains, around one in 10 (10%) of the one million tested domains.
The researchers also evaluated the effectiveness of their attacks against other leading certificate authorities, discovering that the techniques that they had developed had stripped away the security advantages that Let’s Encrypt would otherwise have enjoyed.
Let’s Encrypt is the only CA using multi-perspective validation but the attack could also offer a means to attack the validation technologies used by other certificate authorities.
About brandsec
brandsec is a corporate domain name management and brand protection company that look after many of Australia, New Zealand and Asia’s top publicly listed brands. We provide monitoring and enforcement services, DNS, SSL Management, domain name brokerage and dispute management and brand security consultation services.