Internet performance and security firm Cloudflare on Tuesday announced the availability of a free API designed to help certificate authorities (CAs) securly issue certificates by ensuring that malicious actors cannot complete the domain control validation process via BGP hijacking and DNS spoofing attacks.
When an entity requests a certificate for their website, they are required to complete a domain control validation (DCV) process that proves their are the legitimate owner of the domain. This process can involve creating a specific DNS resource record, uploading a document to the server linked to the domain, or prove ownership of the domain’s administrative email account.
However, a team of researchers demonstrated recently that CAs can be “bamboozled” with Border Gateway Protocol (BGP) attacks. They successfully reproduced their attack methods against Let’s Encrypt, Comodo, Symantec, GoDaddy and GlobalSign.
Threat actors can also fraudulently complete the verification process using DNS spoofing attacks.
BGP hijacking and DNS spoofing allow hackers to reroute the requests sent by the CA during the validation process to a domain they control instead of the legitimate domain.
Once an attacker has obtained a bogus certificate for the targeted domain, they can pose as the victim and intercept encrypted traffic. The misissued certificate can be detected by CAs using Certificate Transparency logs, but it can take many hours for the rogue certificates to be added to these logs and for web browser to take action.
Cloudflare’s new tool aims to proactively address the risk of certificates issued through fraudulent DCV by using the company’s vast network to perform the DCV process from multiple locations around the world.
“Given that Cloudflare runs 175+ datacenters around the world, we are in a unique position to perform DCV from multiple vantage points. Each datacenter has a unique path to DNS nameservers or HTTP endpoints, which means that successful hijacking of a BGP route can only affect a subset of DCV requests, further hampering BGP hijacks. And since we use RPKI, we actually sign and verify BGP routes,” Cloudflare said in a blog post.
“This DCV checker additionally protects CAs against off-path, DNS spoofing attacks. An additional feature that we built into the service that helps protect against off-path attackers is DNS query source IP randomization. By making the source IP unpredictable to the attacker, it becomes more challenging to spoof the second fragment of the forged DNS response to the DCV validation agent,” the company added.
CAs interested in using Cloudflare’s multipath DCV checker have been instructed to send an email to dcv(at)cloudflare.com.
Related: Cloudflare Launches New HTTPS Interception Detection Tools
Related: Cloudflare Encrypts SNI Across Its Network
Related: Cloudflare Launches Free Secure DNS Service

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
