A BGP route monitoring firm, Qrator, released a paper at Blackhat 2015 titled “Breaking HTTPS with BGP Hijacking.” I’ll say more about this paper in a little bit, but let’s set up the basics of BGP first.
BGP is the Border Gateway Protocol that governs how traffic flows around the Internet, both globally—between one service provider (SP) and another—and locally—to the customers of each SP. The flow information is a giant routing table. For example, an SP might advertise that it owns network 123.456.789.0 and that all traffic to that network should be sent to that SP.
Routes change for many reasons, and when they do, the changes are sent to all SPs via BGP. Every now and then, a mistake happens and someone might claim (or be assigned) a network that they don’t really own. If the mistake is big enough, a large portion of the world’s traffic will begin flowing in the wrong direction.
All your networks belong to us
One curious example of this occurred when China Telecom accidentally advertised that it routed the networks of the U.S. government and military domains. From the commission assigned to investigate the event:
For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed US and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China. This incident affected traffic to and from US government (‘‘.gov’’) and military (‘‘.mil’’) sites…
In some cases, a route is mis-advertised on purpose, by a malicious party or law enforcement, and this is known as BGP hijacking. The hijacker advertises a subset of the victim’s network, and once the route is populated, they begin receiving the traffic destined for that network. Bruce Schneier says in his blog that “The odds that the NSA is not doing this sort of thing are basically zero.”
There have been designs for fixing the security of BGP for years, but these designs aren’t anywhere close to implementation. BGP will remain insecure for years to come.
Hijacking a TLS certificate
According to the Qrator white paper, with a well-timed BGP hijack, an attacker could issue themselves a real TLS certificate from a real certificate authority. The attacker would advertise that they owned the target’s domain, and request a certificate for that domain from a certificate authority.
For a basic TLS certificate, the Certificate Authority (CA) asks that requestors prove that they own the associated domain. While many approaches are used to provide this proof, one of the most common is having the requestor post specific content at a URL on that domain. When a domain has been temporarily hijacked, the attacker can post the content and then be issued a domain-validated (DV) certificate within minutes.
Sounds bad, doesn’t it? The Qrator paper outlines a practical way to get a legitimate TLS certificate without having to break crypto or social engineer or network penetration.
Should you be worried about breaking HTTPS via BGP?
Let’s be clear, I’ve never heard any reports of BGP hijacking against certificate authorities actually happening in the wild, either publically or privately. And lest a panic begin, there are several mitigations at play that work against attacks like these.
First, the Extended Validation (EV) process for certificates foils problems exactly like BGP hijacking. EV requires additional validation, including contacting the business based on contact details provided in a qualified information source. An attacker would have to compromise that third-party source in addition to doing the BGP hijacking. Think of EV as two-factor authentication for certificate requests.
Second, some certificate authorities also use multiple clients around the world to do their domain control validation. “A conscientious CA will have validation clients hosted around the world to mitigate against any one route being compromised. The majority of clients will then report a consensus,” says Ryan Hurst, a 15-year veteran of the CA industry. Using multiple clients wouldn’t stop a local BGP hijacking of the target domain, but it would foil a hijacking of the certificate authority validation test traffic itself.
Lastly, there are also efforts to “pin” domains to a specific certificate authority. That is, if my domain example.com has a certificate issued by, say, GlobalSign, then any other certificate authority should do extra diligence before considering issuing a certificate for one of these “pinned” domains.
The Certificate Transparency (CT) project is working to implement a global repository of domains, certificates, and associated certificate authorities. CT encourages domain owners to register with a monitoring service that will notify them if another certificate is ever issued. At this time, only EV certificates are required to be registered with CT Logs.
There is also a new “pinning” header being implemented by servers and browsers to protect against fraudulent certificates, but these headers aren’t in broad use yet.
Not so fast
If Qrator is letting a cat out of the bag with its “Breaking HTTPS via BGP Hijacking” white paper, then we may start seeing more fraudulent certificates in the wild. They will not be EV certificates, though. And with projects like Let’s Encrypt making SSL certificates free and browsers pushing to make SSL the default, I suspect we will see more sites migrate from DV to EV certificates.
Secure BGP is a long way off, but the window for obtaining fraudulent certificates via BGP hijacking may be closing anyway, as HTTP pinning sees more and more adoption.