06 August 2021 at 14:51 UTC
Updated: 06 August 2021 at 14:54 UTC
German researchers circumvent key web security mechanism
Security shortcomings in the mechanism used by Let’s Encrypt to validate web domain ownership create a loophole that allow cybercriminals to get digital certificates for domains more easily.
A team of researchers led by Haya Shulman, director of the Cybersecurity Analytics and Defences department at the Fraunhofer Institute for Secure Information Technology in Germany, discovered a hacking technique that allowed them to circumvent Let’s Encrypt domain validation technology.
Let’s Encrypt is a non-profit certificate authority that provides domain owners with SSL certificates, which are used to authenticate sites using HTTPS.
Shulman and her team showed that the technology was vulnerable to a form of downgrade attack, partly because the way “vantage points select the nameservers in target domains can be manipulated by a remote adversary”.
Another weakness of the technology is that vantage points are selected from a small, fixed set.
The research was presented during a session at the Black Hat USA conference on Wednesday (August 5).
Fake it ‘til you make it
The downgrade attacks act to undermine a system with “multiple vantage points to multiple nameservers” by reducing it to “multiple vantage points to a single attacker-selected nameserver”.
In tests, the researchers found that attackers were able to launch attacks against one in four (24.53%) of domains.
An automated off-path attack developed by the researchers and targeting this vulnerable sub-set of domains succeeded in obtaining fraudulent certificates for more than 107,000 domains, around one in 10 (10%) of the one million tested domains.
The researchers also evaluated the effectiveness of their attacks against other leading Certificate Authorities, discovering that the techniques that they had developed had stripped away the security advantages that Let’s Encrypt would otherwise have enjoyed.