While these advances can defend against some attacks,

none of them help to secure domain control verification

against network-level adversaries, i.e., Autonomous Sys-
tem (AS), that can manipulate the Border Gateway Pro-
tocol (BGP). Such adversaries can launch active BGP hi-
jack and interception attacks to steal traffic away from
victims or CAs, and spoof the domain control verifica-
tion process to obtain bogus certificates.
In this paper, we first analyze and compare BGP at-
tacks on the domain verification process to develop a tax-
onomy and present a highly effective use of the “AS-path
poisoning” attack originally performed in [39]. Next, we
launch all the BGP attacks against our own domain and
decrypt seemingly “secure” HTTPS traffic within sec-
onds. To avoid harming real users, these attacks were
done in an ethical manner on domains that resolve into
our own IP prefix and were registered solely for the pur-
pose of the experiments. We then quantify the vulner-
ability of domain verification to these attacks. Finally,
we propose countermeasures against these attacks. Our
main contributions are as follows: