Black Hat USA: Downgrade attack against Let’s Encrypt lowers the bar for printing fraudulent SSL certificates

3 years ago 340
BOOK THIS SPACE FOR AD
ARTICLE AD

German researchers circumvent key web security mechanism

Security shortcomings in the mechanism used by Lets Encrypt to validate domain ownership allowed researchers to circumvent these controls

Security shortcomings in the mechanism used by Let’s Encrypt to validate web domain ownership create a loophole that allow cybercriminals to get digital certificates for domains more easily.

A team of researchers led by Haya Shulman, director of the Cybersecurity Analytics and Defences department at the Fraunhofer Institute for Secure Information Technology in Germany, discovered a hacking technique that allowed them to circumvent Let’s Encrypt domain validation technology.

Catch up on the latest encryption-related news and analysis

Let’s Encrypt is a non-profit certificate authority that provides domain owners with SSL certificates, which are used to authenticate sites using HTTPS.

The organization’s distributed domain validation technology, introduced in February 2020, is response to earlier attacks, is designed to thwart manipulator-in-the-middle attacks.

Shulman and her team showed that the technology was vulnerable to a form of downgrade attack, partly because the way “vantage points select the nameservers in target domains can be manipulated by a remote adversary”.

Another weakness of the technology is that vantage points are selected from a small, fixed set.

The research was presented during a session at the Black Hat USA conference on Wednesday (August 5).

Fake it ‘til you make it

The downgrade attacks act to undermine a system with “multiple vantage points to multiple nameservers” by reducing it to “multiple vantage points to a single attacker-selected nameserver”.

In tests, the researchers found that attackers were able to launch attacks against one in four (24.53%) of domains.

An automated off-path attack developed by the researchers and targeting this vulnerable sub-set of domains succeeded in obtaining fraudulent certificates for more than 107,000 domains, around one in 10 (10%) of the one million tested domains.

The researchers also evaluated the effectiveness of their attacks against other leading Certificate Authorities, discovering that the techniques that they had developed had stripped away the security advantages that Let’s Encrypt would otherwise have enjoyed.

YOU MAY ALSO LIKE HTTP/2 flaws expose organizations to fresh wave of request smuggling attacks

Read Entire Article