Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Free Cloudflare Tool Helps CAs Securely Issue Certificates

Internet performance and security firm Cloudflare on Tuesday announced the availability of a free API designed to help certificate authorities (CAs) securly issue certificates by ensuring that malicious actors cannot complete the domain control validation process via BGP hijacking and DNS spoofing attacks.

Internet performance and security firm Cloudflare on Tuesday announced the availability of a free API designed to help certificate authorities (CAs) securly issue certificates by ensuring that malicious actors cannot complete the domain control validation process via BGP hijacking and DNS spoofing attacks.

When an entity requests a certificate for their website, they are required to complete a domain control validation (DCV) process that proves their are the legitimate owner of the domain. This process can involve creating a specific DNS resource record, uploading a document to the server linked to the domain, or prove ownership of the domain’s administrative email account.

However, a team of researchers demonstrated recently that CAs can be “bamboozled” with Border Gateway Protocol (BGP) attacks. They successfully reproduced their attack methods against Let’s Encrypt, Comodo, Symantec, GoDaddy and GlobalSign.Cloudflare DCV tool

Threat actors can also fraudulently complete the verification process using DNS spoofing attacks.

BGP hijacking and DNS spoofing allow hackers to reroute the requests sent by the CA during the validation process to a domain they control instead of the legitimate domain.

Once an attacker has obtained a bogus certificate for the targeted domain, they can pose as the victim and intercept encrypted traffic. The misissued certificate can be detected by CAs using Certificate Transparency logs, but it can take many hours for the rogue certificates to be added to these logs and for web browser to take action.

Cloudflare’s new tool aims to proactively address the risk of certificates issued through fraudulent DCV by using the company’s vast network to perform the DCV process from multiple locations around the world.

“Given that Cloudflare runs 175+ datacenters around the world, we are in a unique position to perform DCV from multiple vantage points. Each datacenter has a unique path to DNS nameservers or HTTP endpoints, which means that successful hijacking of a BGP route can only affect a subset of DCV requests, further hampering BGP hijacks. And since we use RPKI, we actually sign and verify BGP routes,” Cloudflare said in a blog post.

Advertisement. Scroll to continue reading.

“This DCV checker additionally protects CAs against off-path, DNS spoofing attacks. An additional feature that we built into the service that helps protect against off-path attackers is DNS query source IP randomization. By making the source IP unpredictable to the attacker, it becomes more challenging to spoof the second fragment of the forged DNS response to the DCV validation agent,” the company added.

CAs interested in using Cloudflare’s multipath DCV checker have been instructed to send an email to dcv(at)cloudflare.com.

Related: Cloudflare Launches New HTTPS Interception Detection Tools

Related: Cloudflare Encrypts SNI Across Its Network

Related: Cloudflare Launches Free Secure DNS Service

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...