Security news that informs and inspires

Seeking Validation in a Hostile World

Attacks on the core infrastructure and protocols that underpin the Internet can be distressingly simple to pull off, from BGP route hijacks to compromises of certificate authorities to DNS spoofing, and there nearly as many attempted defenses as there are attack varieties. Cloudflare is now launching a new free service that its engineers hope will offer a solid defense against several of the more common attacks and help enterprises stay in control of the key pieces of their infrastructures.

One of the key elements of the global Internet is that no one entity owns or controls it. The network is in reality a conglomeration of individual networks of varying sizes owned by countries, companies, and various other entities. This means that the Internet isn’t at the mercy of one company or country, which is a net positive, but it also means that no one entity is in charge of defending it either. The domain name system’s root servers, for example, are controlled by a small group of universities, private companies, and government agencies. The global certificate authority ecosystem, meanwhile, is a labyrinth of huge providers, tiny niche players, and shell companies, all held together with good will and superglue.

Attackers know this as well as anyone, and over the years have devised any number of ways to take advantage of the inherent trust built into the various pieces of the Internet’s core. Attacks on CAs that result in mis-issued certificates are a dime a dozen and BGP route hijacking incidents are becoming more and more common and increasingly problematic. Cloudflare operates one of the larger content delivery networks (CDN) and a significant portion of the Internet’s traffic passes through its network on any given day, so the company is in a good position to observe the techniques that attackers are using to compromise pieces of the global infrastructure. It’s also in a good position to do something about those attacks.

On Tuesday the company announced a new service that addresses several of the core weaknesses in the CA system and DNS and routing infrastructure that enable some of the more damaging attacks. The service gives CAs a free API they can use to perform domain control validation (DCV) from a number of individual points across Cloudflare’s network. DCV is the process by which certificate authorities validate that an entity trying to get a certificate for a given domain actually owns the domain. There are a couple of main ways to do that, one through HTTP and one through DNS. Both involve the domain owner placing a file with some specific attributes in a specific place, either on the web server or in the DNS resource record. The CA then retrieves the file and if everything matches up, can issue the certificate.

A BGP route hijack would be one of the more effective ways of targeting the DCV process.

Both of these methods are susceptible to various attacks that target the DNS infrastructure or the BGP protocol, which is used to route traffic to the right destination in the most efficient manner. A BGP route hijack would be one of the more effective ways of targeting the DCV process.

“These attacks create a vulnerability when an adversary sends a certificate signing request for a victim’s domain to a CA. When the CA verifies the network resources using an HTTP GET request, the adversary then uses BGP attacks to hijack traffic to the victim’s domain in a way that the CA’s request is rerouted to the adversary and not the domain owner,” Dina Kozlov and Gabbi Fisher of Cloudflare said.

In that scenario, the adversary would then be able to get a valid certificate for the domain owned by the victim. The same result could be obtained by using DNS spoofing to impersonate a DNS nameserver that’s involved in resolving the target domain. The success of these attacks is contingent upon there being a single entity performing the domain control validation, so Cloudflare’s approach to solving the problem is to perform the DCV from many different points in its network. The system takes advantage of the global, distributed nature of Cloudflare’s data center infrastructure to make compromising the DCV process much more difficult.

“Each datacenter has a unique path to DNS nameservers or HTTP endpoints, which means that successful hijacking of a BGP route can only affect a subset of DCV requests, further hampering BGP hijacks. And since we use RPKI, we actually sign and verify BGP routes,” Kozlov and Fisher said.

“This DCV checker additionally protects CAs against off-path, DNS spoofing attacks. An additional feature that we built into the service that helps protect against off-path attackers is DNS query source IP randomization. By making the source IP unpredictable to the attacker, it becomes more challenging to spoof the second fragment of the forged DNS response to the DCV validation agent. By comparing multiple DCV results collected over multiple paths, our DCV API makes it virtually impossible for an adversary to mislead a CA into thinking they own a domain when they actually don’t. CAs can use our tool to ensure that they only issue certificates to rightful domain owners.”

The DCV service uses agents across Cloudflare’s network that perform the checks and then report the results to a central orchestrator, which then compares all of them and reports back to the CA. The CA ecosystem has been a source of headaches, problems, and debate since its inception, and no one technology or service is likely to change that overnight, experts say.

"The X.509 PKI is like a sucking chest wound in the security of the Internet and therefore in the security of the world's electronic commerce system. Domain Control Verification (DCV) is like a band-aid on that sucking chest wound, and CloudFlare's newly announced capability to perform DCV from 175 data centers simultaneously is, in effect, a better and stronger band-aid. We will need these band-aids until DNSSEC Authenticated Named Entities (DANE) can be deployed, but we should not mistake any of the band-aids for real and enduring solutions to the Internet's sucking chest wound problem," said Paul Vixie, an expert on the DNS system, and CEO of security firm Farsight Security.