German researchers circumvent key web security mechanism

Security shortcomings in the mechanism used by Lets Encrypt to validate domain ownership allowed researchers to circumvent these controls

Security shortcomings in the mechanism used by Let’s Encrypt to validate web domain ownership create a loophole that allow cybercriminals to get digital certificates for domains more easily.

A team of researchers led by Haya Shulman, director of the Cybersecurity Analytics and Defences department at the Fraunhofer Institute for Secure Information Technology in Germany, discovered a hacking technique that allowed them to circumvent Let’s Encrypt domain validation technology.

Catch up on the latest encryption-related news and analysis

Let’s Encrypt is a non-profit certificate authority that provides domain owners with SSL certificates, which are used to authenticate sites using HTTPS.

The organization’s distributed domain validation technology, introduced in February 2020, in response to earlier Border Gateway Protocol-based hijacking attacks, is designed to thwart one form of manipulator-in-the-middle attacks.

Shulman and her team showed that the technology was vulnerable to a form of downgrade attack, partly because the way “vantage points select the nameservers in target domains can be manipulated by a remote adversary”.

Another weakness of the technology is that vantage points are selected from a small, fixed set of just four cloud-based systems.

The research was presented during a session at the Black Hat USA conference on Wednesday (August 5).

Fake it ‘til you make it

The downgrade attacks act to undermine a system with “multiple vantage points to multiple nameservers” by reducing it to “multiple vantage points to a single attacker-selected nameserver”. The system is tricked into using a specific nameserver by introducing high latency into connections to other validation nodes.

In controlled tests, the researchers found that attackers were able to launch attacks against one in four (24.53%) of domains.

An automated off-path attack developed by the researchers and targeting this vulnerable sub-set of domains succeeded in obtaining fraudulent certificates for more than 107,000 domains, around one in 10 (10%) of the one million tested domains.

The researchers also evaluated the effectiveness of their attacks against other leading certificate authorities, discovering that the techniques that they had developed had stripped away the security advantages that Let’s Encrypt would otherwise have enjoyed.

Let's Encrypt is the only CA using multi-perspective validation but the attack could also offer a means to attack the validation technologies used by other certificate authorities.

YOU MAY ALSO LIKE HTTP/2 flaws expose organizations to fresh wave of request smuggling attacks