SlideShare uma empresa Scribd logo

Four years of breaking HTTPS with BGP hijacking

APNIC
APNIC

Presentation by Töma Gavrichenkov at APRICOT 2019 on Wednesday, 27 February 2019.

Internet
1 de 51
Four Years of Breaking HTTPS with BGP Hijacking Töma Gavrichenkov <ag@qrator.net> GPG: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191
April 24, 2018: myetherwallet.com gets BGP hijacked • Went for 2 hours unnoticed • Was using rogue HTTPS certificate so users clicked through certificate errors • https://www.theregister.co.uk/2018/04/24/myetherwallet_dns_hijack/ MyEtherWallet
DNS A myetherwallet.com?
DNS A myetherwallet.com? myetherwallet.com A 52.85.173.X
DNS A myetherwallet.com? myetherwallet.com A 52.85.173.X TLS Client Hello myetherwallet.com
DNS A myetherwallet.com? myetherwallet.com A 52.85.173.X TLS Client Hello myetherwallet.com TLS Server Hello myetherwallet.com
DNS A myetherwallet.com? myetherwallet.com A 46.161.42.x
DNS A myetherwallet.com? myetherwallet.com A 46.161.42.x TLS Client Hello myetherwallet.com
DNS A myetherwallet.com? myetherwallet.com A 46.161.42.x TLS Client Hello myetherwallet.com TLS Server Hello 46.161.42.X
• The attacker was using a self-signed TLS certificate • It’s not that easy to get through HTTPS certificate errors with a contemporary browser • Yet, some users still ignored the warnings • Which made some of the experts blame the users • ”We should make HTTPS warnings harder to click through” MyEtherWallet
”We should make HTTPS warnings harder to click through” — Whoops. Nope. It wouldn’t help here — because of BGP. MyEtherWallet
http://www.blackhat.com/us-15/briefings.html#breaking-https-with-bgp-hijacking • TL;DR: companies issuing certificates are using the same techniques to verify the remote side • Hence after BGP hijacking an attacker can obtain a valid HTTPS certificate for the target site “Breaking HTTPS with BGP hijacking”
http://www.blackhat.com/us-15/briefings.html#breaking-https-with-bgp-hijacking • 2 basic types: • Global Hijacking • Local Hijacking • With both types, it’s possible to feed a CA’s verifying script with false data: • HTTP • DNS • WHOIS “Breaking HTTPS with BGP hijacking”
http://www.blackhat.com/us-15/briefings.html#breaking-https-with-bgp-hijacking • 2 basic types: • Global Hijacking • Local Hijacking • With both types, it’s possible to feed a CA’s verifying script with false data, which in turn would lead to a valid certificate issued and sent to an attacker • After that, (nearly) impossible to reliably investigate the incident “Breaking HTTPS with BGP hijacking”
An immediate feedback from PKIX industry experts:
• No reports of the attack happening in the wild • Extended Validation addresses the issue • RFC 7469 “HTTP Public Key Pinning” sees more and more adoption • Conscientious CA uses multiple clients to do validation and only issues if the majority reports consensus Ergo: not something to really worry about https://www.securityweek.com/should-you-be-worried-about-bgp-hijacking-your-https A feedback from PKIX industry experts:
1. “No reports of the attack happening in the wild” 2. “Extended Validation addresses the issue” 3. “RFC 7469 “HTTP Public Key Pinning” sees more and more adoption” 4. “Conscientious CA uses multiple clients to do validation and only issues if the majority reports consensus” It’s now almost 4 years ago. How did that go?
“That’s a conference type attack. Those won’t happen in practice.” — Someone in a private conversation 1. “No reports of the attack happening in the wild”
“That’s a conference type attack. Those won’t happen in practice.” — Someone in a private conversation Yet it turns out they do. • You only need a cryptocurrency exchange large enough — or a motivated attacker • MyEtherWallet attackers could’ve done that easily • Probably they don’t attend conferences • Actually, 2 other (suspected) cases were reported directly to the authors during 2018 1. “No reports of the attack happening in the wild”
Except it’s dead. • Not shown on mobile devices • Web sites ditching EV • No way to automate 2. “Extended Validation addresses the issue” https://www.troyhunt.com/extended-validation-certificates-are-dead/
Except it’s dead, either. • Hard to automate • Got low adoption • Risks of hostile pinning 3. “RFC 7469 “HTTP Public Key Pinning” sees more and more adoption” https://www.chromestatus.com/feature/5903385005916160
4. “Conscientious CA uses multiple clients to do validation and only issues if the majority reports consensus”
4. “Conscientious CA uses multiple clients to do validation and only issues if the majority reports consensus” • …yes, the “majority” part is just broken, but, nevertheless, we’ve got the idea. So what? • It turns out someone finally got interested with the issue (before the malicious ones did). Guess who cared?
4. “Conscientious CA uses multiple clients to do validation and only issues if the majority reports consensus” • …yes, the “majority” part is just broken, but, nevertheless, we’ve got the idea. So what? • It turns out someone finally got interested with the issue (before the malicious ones did). Guess who cared? Scientists.
https://www.petsymposium.org/2017/papers/hotpets/bgp-bogus-tls.pdf Jennifer Rexford et al., Princeton University, 2017 “Using BGP to Acquire Bogus TLS Certificates”
https://www.petsymposium.org/2017/papers/hotpets/bgp-bogus-tls.pdf Jennifer Rexford et al., Princeton University, 2017 • Confirmed the observations • Got real certificates issued by: • Symantec • Comodo • Let’s Encrypt • GoDaddy “Using BGP to Acquire Bogus TLS Certificates”
http://www.cs.princeton.edu/~jrex/papers/bamboozle18.pdf Jennifer Rexford et al., Princeton University, 2018 “Bamboozling Certificate Authorities with BGP”
http://www.cs.princeton.edu/~jrex/papers/bamboozle18.pdf Jennifer Rexford et al., Princeton University, 2018 • Topic development: 5 different cases • ”Global Hijacking” -> Traditional sub-prefix attack • “Local Hijacking” -> Traditional equally-specific-prefix attack • Prepended sub-prefix attack • Prepended equally-specific-prefix attack • AS-path poisoning attack “Bamboozling Certificate Authorities with BGP”
• “Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates”, Borgolte et al., UC Santa Barbara http://www.utdallas.edu/~shao/papers/borgolte_ndss18.pdf • “RiPKI: The tragic story of RPKI deployment in the Web ecosystem”, Wählisch et al., FU Berlin http://conferences.sigcomm.org/hotnets/2015/papers/wahlisch.pdf • “Secure Entity Authentication”, Dou, Zuochao, New Jersey Institute of Technology • etc. (Google Scholar keeps pinging me from time to time) Further Research
• Certificate transparency • DNS Certificate Authority Authorization RR: RFC 6844 So what did CAs do?
• Certificate transparency • Leaves an attack window before the issuance and first OCSP actions: the MyEtherWallet attack, for instance, lasted only for 2 hours • DNS Certificate Authority Authorization RR: RFC 6844 • Doesn’t prevent the case of a fraudulent issuance by the same CA • Doesn’t cover hijacking of the DNS server itself So what did CAs do?
Why did the folks attacking MyEtherWallet hijack the whole Amazon DNS instead of just the MyEtherWallet Web server? By the way ???
??? Well, we don’t know for sure (maybe they were just drunk), but we have a clue. • An average authoritative DNS server gets roughly 0,1% of traffic the corresponding Web server does. • Hijacking DNS allows us to forward precisely the HTTP traffic we want and not to see the rest of HTTP going through the network • So it’s more cost-effective this way! • That makes DNS the most likely target for future BGP attacks Why to hijack DNS instead of HTTP?
• Nothing, because everything (i.e. DNSSEC) is already there! • Low adoption, however What has been done by ICANN and the DNS community?
NS Organization First Seen Last Seen ns-73.awsdns-09.com ns-1993.awsdns-57.co.uk ns-1498.awsdns-59.org ns-1007.awsdns-61.net Amazon.com, Inc. 2017-05-29 2018-09-10 ivan.ns.cloudflare.com ali.ns.cloudflare.com Cloudflare Inc 2018-05-18 - Historical data for myetherwallet.com Cloudflare Amazon 2017/05 2018/05 2018/09Hijacking
• ROA • BGPSec What has been done by the ISP community?
• ROA: validates only the source, doesn’t cover AS Path • BGPSec What has been done by the ISP community?
• ROA: validates only the source, doesn’t cover AS Path • BGPSec, guess what, What has been done by the ISP community?
• ROA: validates only the source, doesn’t cover AS Path • BGPSec, guess what, low adoption so far What has been done by the ISP community?
• ROA: validates only the source, doesn’t cover AS Path • BGPSec, guess what, low adoption so far • ASPA • https://tools.ietf.org/html/draft-azimov-sidrops-aspa-verification • ? • Please donate pay attention What has been done by the ISP community?
It turns out we cannot even test new approaches in the wild! • Broken BGP software • Obsolete BGP s/w • Months or years between s/w updates What has been done by the ISP community?
• I’m being frequently criticized for delivering pessimistic talks. Bottom line.
• I’m being frequently criticized for delivering pessimistic talks. Okay, it’s 4 years after, and we aren’t even close to a solution. Let’s be optimistic about it! Bottom line.
• I’m being frequently criticized for delivering pessimistic talks. Okay, it’s 4 years after, and we aren’t even close to a solution. Let’s be optimistic about it! Or, maybe, it’s time to stop feeding the users with soothing words that don’t really change anything in the end. Bottom line.
• I’m being frequently criticized for delivering pessimistic talks. • I’m also (sometimes) being criticized for just speaking of problems, not offering a solution. Bottom line.
• I’m being frequently criticized for delivering pessimistic talks. • I’m also (sometimes) being criticized for just speaking of problems, not offering a solution. But some solutions are already there! • We ditched HPKP, EV (okay, the last one was predictable) • We don’t adopt DNSSEC/BGPSec Bottom line.
Adopt a multihop BGP session! It’s cool and free! https://radar.qrator.net/
• I’m being frequently criticized for delivering pessimistic talks. • I’m also (sometimes) being criticized for just speaking of problems, not offering a solution. • The combined technical debt in the Internet doesn’t appear to shrink, it only grows further. It only takes some time to contribute into paying off that debt, so why not to start now? Bottom line.
• I’m being frequently criticized for delivering pessimistic talks. • I’m also (sometimes) being criticized for just speaking of problems, not offering a solution. • The combined technical debt in the Internet doesn’t appear to shrink, it only grows further. It only takes some time to contribute into paying off that debt, so why not to start now? Please. Bottom line.
Q&A mailto: Töma Gavrichenkov <ag@qrator.net>

Recomendados

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Ontico
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapCloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
Tom Paseka
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 

Recomendados

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Масштабируя TLS / Артём Гавриченков (Qrator Labs)
Ontico
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gapCloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
CloudFlare / ISOC - Are You Ready for IPv6 - Bridging the IPv6 gap
Tom Paseka
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
Brian A. McHenry
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
Chris Gates
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
ConnectSafely
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
Dmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fedDmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fed
Dan Kaminsky
 
How to Backdoor Diffie-Hellman
How to Backdoor Diffie-HellmanHow to Backdoor Diffie-Hellman
How to Backdoor Diffie-Hellman
David Wong
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
Rob Ragan
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
Jorgen Thelin
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
Qrator Labs
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Confidence web
Confidence webConfidence web
Confidence web
Dan Kaminsky
 
Utilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseUtilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident Response
Christopher Beiring
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
Qrator Labs
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
APNIC
 

Mais conteúdo relacionado

Mais procurados

Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
John Bambenek
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
How to Backdoor Diffie-Hellman
How to Backdoor Diffie-HellmanHow to Backdoor Diffie-Hellman
How to Backdoor Diffie-Hellman
David Wong
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
Rob Ragan
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
Jorgen Thelin
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Utilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseUtilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident Response
Christopher Beiring
 

Mais procurados (20)

Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
Dmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fedDmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fed
 
How to Backdoor Diffie-Hellman
How to Backdoor Diffie-HellmanHow to Backdoor Diffie-Hellman
How to Backdoor Diffie-Hellman
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Confidence web
Confidence webConfidence web
Confidence web
 
Utilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident ResponseUtilizing OSINT in Threat Analytics and Incident Response
Utilizing OSINT in Threat Analytics and Incident Response
 

Semelhante a Four years of breaking HTTPS with BGP hijacking

BREAKING HTTPS WITH BGP HIJACKING
BREAKING HTTPS WITH BGP HIJACKINGBREAKING HTTPS WITH BGP HIJACKING
BREAKING HTTPS WITH BGP HIJACKING
Qrator Labs
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
webhostingguy
 

Semelhante a Four years of breaking HTTPS with BGP hijacking (20)

Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
 
Using Blockchain to Increase Supply Chain Transparency
Using Blockchain to Increase Supply Chain TransparencyUsing Blockchain to Increase Supply Chain Transparency
Using Blockchain to Increase Supply Chain Transparency
 
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
 
ProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacementProjectTox: Free as in freedom Skype replacement
ProjectTox: Free as in freedom Skype replacement
 
Altitude San Francisco 2018: HTTP/2 Tales: Discovery and Woe
Altitude San Francisco 2018: HTTP/2 Tales: Discovery and WoeAltitude San Francisco 2018: HTTP/2 Tales: Discovery and Woe
Altitude San Francisco 2018: HTTP/2 Tales: Discovery and Woe
 
BREAKING HTTPS WITH BGP HIJACKING
BREAKING HTTPS WITH BGP HIJACKINGBREAKING HTTPS WITH BGP HIJACKING
BREAKING HTTPS WITH BGP HIJACKING
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
 
All access demystifying certs
All access demystifying certsAll access demystifying certs
All access demystifying certs
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
 
NZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)SecurityNZNOG 2019: The State of Routing (In)Security
NZNOG 2019: The State of Routing (In)Security
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges36th TWNIC OPM: BGP security threats and challenges
36th TWNIC OPM: BGP security threats and challenges
 
NPTs
NPTsNPTs
NPTs
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
 

Mais de APNIC

Mais de APNIC (20)

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 

Último

Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
roncy bisnoi
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Delhi Call girls
 
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
SUHANI PANDEY
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Chandigarh Call girls 9053900678 Call girls in Chandigarh
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
SUHANI PANDEY
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
nirzagarg
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
@Chandigarh #call #Girls 9053900678 @Call #Girls in @Punjab 9053900678
 

Último (20)

Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
Wadgaon Sheri $ Call Girls Pune 10k @ I'm VIP Independent Escorts Girls 80057...
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 

Four years of breaking HTTPS with BGP hijacking

  • 1. Four Years of Breaking HTTPS with BGP Hijacking Töma Gavrichenkov <ag@qrator.net> GPG: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191
  • 2. April 24, 2018: myetherwallet.com gets BGP hijacked • Went for 2 hours unnoticed • Was using rogue HTTPS certificate so users clicked through certificate errors • https://www.theregister.co.uk/2018/04/24/myetherwallet_dns_hijack/ MyEtherWallet
  • 6. DNS A myetherwallet.com? myetherwallet.com A 52.85.173.X TLS Client Hello myetherwallet.com TLS Server Hello myetherwallet.com
  • 9. DNS A myetherwallet.com? myetherwallet.com A 46.161.42.x TLS Client Hello myetherwallet.com TLS Server Hello 46.161.42.X
  • 10. • The attacker was using a self-signed TLS certificate • It’s not that easy to get through HTTPS certificate errors with a contemporary browser • Yet, some users still ignored the warnings • Which made some of the experts blame the users • ”We should make HTTPS warnings harder to click through” MyEtherWallet
  • 11. ”We should make HTTPS warnings harder to click through” — Whoops. Nope. It wouldn’t help here — because of BGP. MyEtherWallet
  • 12. http://www.blackhat.com/us-15/briefings.html#breaking-https-with-bgp-hijacking • TL;DR: companies issuing certificates are using the same techniques to verify the remote side • Hence after BGP hijacking an attacker can obtain a valid HTTPS certificate for the target site “Breaking HTTPS with BGP hijacking”
  • 13. http://www.blackhat.com/us-15/briefings.html#breaking-https-with-bgp-hijacking • 2 basic types: • Global Hijacking • Local Hijacking • With both types, it’s possible to feed a CA’s verifying script with false data: • HTTP • DNS • WHOIS “Breaking HTTPS with BGP hijacking”
  • 14. http://www.blackhat.com/us-15/briefings.html#breaking-https-with-bgp-hijacking • 2 basic types: • Global Hijacking • Local Hijacking • With both types, it’s possible to feed a CA’s verifying script with false data, which in turn would lead to a valid certificate issued and sent to an attacker • After that, (nearly) impossible to reliably investigate the incident “Breaking HTTPS with BGP hijacking”
  • 15. An immediate feedback from PKIX industry experts:
  • 16. • No reports of the attack happening in the wild • Extended Validation addresses the issue • RFC 7469 “HTTP Public Key Pinning” sees more and more adoption • Conscientious CA uses multiple clients to do validation and only issues if the majority reports consensus Ergo: not something to really worry about https://www.securityweek.com/should-you-be-worried-about-bgp-hijacking-your-https A feedback from PKIX industry experts:
  • 17. 1. “No reports of the attack happening in the wild” 2. “Extended Validation addresses the issue” 3. “RFC 7469 “HTTP Public Key Pinning” sees more and more adoption” 4. “Conscientious CA uses multiple clients to do validation and only issues if the majority reports consensus” It’s now almost 4 years ago. How did that go?
  • 18. “That’s a conference type attack. Those won’t happen in practice.” — Someone in a private conversation 1. “No reports of the attack happening in the wild”
  • 19. “That’s a conference type attack. Those won’t happen in practice.” — Someone in a private conversation Yet it turns out they do. • You only need a cryptocurrency exchange large enough — or a motivated attacker • MyEtherWallet attackers could’ve done that easily • Probably they don’t attend conferences • Actually, 2 other (suspected) cases were reported directly to the authors during 2018 1. “No reports of the attack happening in the wild”
  • 20. Except it’s dead. • Not shown on mobile devices • Web sites ditching EV • No way to automate 2. “Extended Validation addresses the issue” https://www.troyhunt.com/extended-validation-certificates-are-dead/
  • 21. Except it’s dead, either. • Hard to automate • Got low adoption • Risks of hostile pinning 3. “RFC 7469 “HTTP Public Key Pinning” sees more and more adoption” https://www.chromestatus.com/feature/5903385005916160
  • 22. 4. “Conscientious CA uses multiple clients to do validation and only issues if the majority reports consensus”
  • 23. 4. “Conscientious CA uses multiple clients to do validation and only issues if the majority reports consensus” • …yes, the “majority” part is just broken, but, nevertheless, we’ve got the idea. So what? • It turns out someone finally got interested with the issue (before the malicious ones did). Guess who cared?
  • 24. 4. “Conscientious CA uses multiple clients to do validation and only issues if the majority reports consensus” • …yes, the “majority” part is just broken, but, nevertheless, we’ve got the idea. So what? • It turns out someone finally got interested with the issue (before the malicious ones did). Guess who cared? Scientists.
  • 25. https://www.petsymposium.org/2017/papers/hotpets/bgp-bogus-tls.pdf Jennifer Rexford et al., Princeton University, 2017 “Using BGP to Acquire Bogus TLS Certificates”
  • 26. https://www.petsymposium.org/2017/papers/hotpets/bgp-bogus-tls.pdf Jennifer Rexford et al., Princeton University, 2017 • Confirmed the observations • Got real certificates issued by: • Symantec • Comodo • Let’s Encrypt • GoDaddy “Using BGP to Acquire Bogus TLS Certificates”
  • 27. http://www.cs.princeton.edu/~jrex/papers/bamboozle18.pdf Jennifer Rexford et al., Princeton University, 2018 “Bamboozling Certificate Authorities with BGP”
  • 28. http://www.cs.princeton.edu/~jrex/papers/bamboozle18.pdf Jennifer Rexford et al., Princeton University, 2018 • Topic development: 5 different cases • ”Global Hijacking” -> Traditional sub-prefix attack • “Local Hijacking” -> Traditional equally-specific-prefix attack • Prepended sub-prefix attack • Prepended equally-specific-prefix attack • AS-path poisoning attack “Bamboozling Certificate Authorities with BGP”
  • 29. • “Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates”, Borgolte et al., UC Santa Barbara http://www.utdallas.edu/~shao/papers/borgolte_ndss18.pdf • “RiPKI: The tragic story of RPKI deployment in the Web ecosystem”, Wählisch et al., FU Berlin http://conferences.sigcomm.org/hotnets/2015/papers/wahlisch.pdf • “Secure Entity Authentication”, Dou, Zuochao, New Jersey Institute of Technology • etc. (Google Scholar keeps pinging me from time to time) Further Research
  • 30. • Certificate transparency • DNS Certificate Authority Authorization RR: RFC 6844 So what did CAs do?
  • 31. • Certificate transparency • Leaves an attack window before the issuance and first OCSP actions: the MyEtherWallet attack, for instance, lasted only for 2 hours • DNS Certificate Authority Authorization RR: RFC 6844 • Doesn’t prevent the case of a fraudulent issuance by the same CA • Doesn’t cover hijacking of the DNS server itself So what did CAs do?
  • 32. Why did the folks attacking MyEtherWallet hijack the whole Amazon DNS instead of just the MyEtherWallet Web server? By the way ???
  • 33. ??? Well, we don’t know for sure (maybe they were just drunk), but we have a clue. • An average authoritative DNS server gets roughly 0,1% of traffic the corresponding Web server does. • Hijacking DNS allows us to forward precisely the HTTP traffic we want and not to see the rest of HTTP going through the network • So it’s more cost-effective this way! • That makes DNS the most likely target for future BGP attacks Why to hijack DNS instead of HTTP?
  • 34.
  • 35. • Nothing, because everything (i.e. DNSSEC) is already there! • Low adoption, however What has been done by ICANN and the DNS community?
  • 36. NS Organization First Seen Last Seen ns-73.awsdns-09.com ns-1993.awsdns-57.co.uk ns-1498.awsdns-59.org ns-1007.awsdns-61.net Amazon.com, Inc. 2017-05-29 2018-09-10 ivan.ns.cloudflare.com ali.ns.cloudflare.com Cloudflare Inc 2018-05-18 - Historical data for myetherwallet.com Cloudflare Amazon 2017/05 2018/05 2018/09Hijacking
  • 37. • ROA • BGPSec What has been done by the ISP community?
  • 38. • ROA: validates only the source, doesn’t cover AS Path • BGPSec What has been done by the ISP community?
  • 39. • ROA: validates only the source, doesn’t cover AS Path • BGPSec, guess what, What has been done by the ISP community?
  • 40. • ROA: validates only the source, doesn’t cover AS Path • BGPSec, guess what, low adoption so far What has been done by the ISP community?
  • 41. • ROA: validates only the source, doesn’t cover AS Path • BGPSec, guess what, low adoption so far • ASPA • https://tools.ietf.org/html/draft-azimov-sidrops-aspa-verification • ? • Please donate pay attention What has been done by the ISP community?
  • 42. It turns out we cannot even test new approaches in the wild! • Broken BGP software • Obsolete BGP s/w • Months or years between s/w updates What has been done by the ISP community?
  • 43. • I’m being frequently criticized for delivering pessimistic talks. Bottom line.
  • 44. • I’m being frequently criticized for delivering pessimistic talks. Okay, it’s 4 years after, and we aren’t even close to a solution. Let’s be optimistic about it! Bottom line.
  • 45. • I’m being frequently criticized for delivering pessimistic talks. Okay, it’s 4 years after, and we aren’t even close to a solution. Let’s be optimistic about it! Or, maybe, it’s time to stop feeding the users with soothing words that don’t really change anything in the end. Bottom line.
  • 46. • I’m being frequently criticized for delivering pessimistic talks. • I’m also (sometimes) being criticized for just speaking of problems, not offering a solution. Bottom line.
  • 47. • I’m being frequently criticized for delivering pessimistic talks. • I’m also (sometimes) being criticized for just speaking of problems, not offering a solution. But some solutions are already there! • We ditched HPKP, EV (okay, the last one was predictable) • We don’t adopt DNSSEC/BGPSec Bottom line.
  • 48. Adopt a multihop BGP session! It’s cool and free! https://radar.qrator.net/
  • 49. • I’m being frequently criticized for delivering pessimistic talks. • I’m also (sometimes) being criticized for just speaking of problems, not offering a solution. • The combined technical debt in the Internet doesn’t appear to shrink, it only grows further. It only takes some time to contribute into paying off that debt, so why not to start now? Bottom line.
  • 50. • I’m being frequently criticized for delivering pessimistic talks. • I’m also (sometimes) being criticized for just speaking of problems, not offering a solution. • The combined technical debt in the Internet doesn’t appear to shrink, it only grows further. It only takes some time to contribute into paying off that debt, so why not to start now? Please. Bottom line.