document required for domain control verification.

Our key contribution in this section is to explore the

broad BGP attack surface that can be used to obtain a
bogus TLS certificate in the above process. We first de-
velop an adversary model, and then explore five types
of BGP attacks. In particular, we propose and analyze an
advanced and stealthy AS-path poisoning attack, that can
target any trusted CA that is not on the route between the
adversary and the victim. We present an in depth analy-
sis of how the intricacies of these BGP attacks affect the
current PKI.
2.1 Adversary Model
Adversary Objectives: We consider an adversary that
aims to obtain a bogus certificate for a victim’s domain
and then decrypt sensitive TLS traffic for as long as pos-
sible without being detected. Thus, the slower a defense
system detects a BGP attack, the more effective the man-
in-the-middle attack is.
Because intercepting a TLS stream can cause signifi-
cant damage in a couple of hours [24], detection systems
that require manual investigation to confirm that an at-
tack has occurred or systems that have a significant delay
before detection is possible are not effective at prevent-
ing these attacks . However, the adversary is incentivized
to avoid major reachability problems (that will cause a
service interruption alerting the victim to the attack) and
highly suspicious BGP announcements that might get au-
tomatically filtered or immediately trigger alerts. Given
this adversary model, we aim to assess the current degree
of vulnerability of the PKI.
Realistic Constraints on Adversary Capabilities:
An adversary must compromise an AS’s border router
or control an AS to launch the attack. Assuming the
adversarial AS and victim’s domain to be fixed, several
variables are beyond the control of the adversary. The
topological relationship between the adversary, the vic-
tim, and the CA, and the benign BGP announcement for
the IP prefix that includes the victim’s domain are con-
sidered beyond the control of adversary.
Despite these constraints, we assume adversaries can
control exactly what BGP announcement they make and
which neighboring ASes they make this announcement
to. We also assume an adversary is capable of generat-
ing traffic with a source IP address that belongs to the
victim. Studies show that a significant portion of ASes
still allows source IP spoofing [2, 34] due to a lack of
ingress filtering. Even a strictly filtered adversary can
spoof packets by gaining control of a client in one of
these networks that allow spoofing and use it to spoof
packets on behalf of the adversary.