@inproceedings{324058a194f6495685f2b10a0cabb2a5,
title = "Domain Validation++ for MitM-resilient PKI",
abstract = "The security of Internet-based applications fundamentally relies on the trustworthiness of Certificate Authorities (CAs). We practically demonstrate for the first time that even a weak off-path attacker can effectively subvert the trustworthiness of popular commercially used CAs. Our attack targets CAs which use Domain Validation (DV) for authenticating domain ownership; collectively these CAs control 99% of the certificates market. The attack utilises DNS Cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker{\textquoteright}s public key to a victim domain. We discuss short and long term defences, but argue that they fall short of securing DV. To mitigate the threats we propose Domain Validation++ (DV++). DV++ replaces the need in cryptography through assumptions in distributed systems. While retaining the benefits of DV (automation, efficiency and low costs) DV++ is secure even against Man-in-the-Middle (MitM) attackers. Deployment of DV++ is simple and does not require changing the existing infrastructure nor systems of the CAs. We demonstrate security of DV++ under realistic assumptions and provide open source access to DV++ implementation.",
keywords = "CA attacks, Certificates, DNS cache poisoning, PKI security",
author = "Markus Brandt and Tianxiang Dai and Haya Shulman and Amit Klein and Michael Waidner",
note = "Publisher Copyright: {\textcopyright} 2018 Association for Computing Machinery.; 25th ACM Conference on Computer and Communications Security, CCS 2018 ; Conference date: 15-10-2018",
year = "2018",
month = oct,
day = "15",
doi = "https://doi.org/10.1145/3243734.3243790",
language = "الإنجليزيّة",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
pages = "2060--2076",
booktitle = "CCS 2018 - Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security",
}