document required for domain control verification.
Our key contribution in this section is to explore the
broad BGP attack surface that can be used to obtain a bogus TLS certificate in the above process. We first de- velop an adversary model, and then explore five types of BGP attacks. In particular, we propose and analyze an advanced and stealthy AS-path poisoning attack, that can target any trusted CA that is not on the route between the adversary and the victim. We present an in depth analy- sis of how the intricacies of these BGP attacks affect the current PKI. 2.1 Adversary Model Adversary Objectives: We consider an adversary that aims to obtain a bogus certificate for a victim’s domain and then decrypt sensitive TLS traffic for as long as pos- sible without being detected. Thus, the slower a defense system detects a BGP attack, the more effective the man- in-the-middle attack is. Because intercepting a TLS stream can cause signifi- cant damage in a couple of hours [24], detection systems that require manual investigation to confirm that an at- tack has occurred or systems that have a significant delay before detection is possible are not effective at prevent- ing these attacks . However, the adversary is incentivized to avoid major reachability problems (that will cause a service interruption alerting the victim to the attack) and highly suspicious BGP announcements that might get au- tomatically filtered or immediately trigger alerts. Given this adversary model, we aim to assess the current degree of vulnerability of the PKI. Realistic Constraints on Adversary Capabilities: An adversary must compromise an AS’s border router or control an AS to launch the attack. Assuming the adversarial AS and victim’s domain to be fixed, several variables are beyond the control of the adversary. The topological relationship between the adversary, the vic- tim, and the CA, and the benign BGP announcement for the IP prefix that includes the victim’s domain are con- sidered beyond the control of adversary. Despite these constraints, we assume adversaries can control exactly what BGP announcement they make and which neighboring ASes they make this announcement to. We also assume an adversary is capable of generat- ing traffic with a source IP address that belongs to the victim. Studies show that a significant portion of ASes still allows source IP spoofing [2, 34] due to a lack of ingress filtering. Even a strictly filtered adversary can spoof packets by gaining control of a client in one of these networks that allow spoofing and use it to spoof packets on behalf of the adversary.