Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates. - Citegraph

Paper Info

Title
Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates.

Abstract
Infrastructure-as-a-Service (IaaS), more generally the "cloud," changed the landscape of system operations on the Internet. Clouds' elasticity allow operators to rapidly allocate and use resources as needed, from virtual machines, to storage, to IP addresses, which is what made clouds popular. We show that the dynamic component paired with developments in trust-based ecosystems (e.g., TLS certificates) creates so far unknown attacks. We demonstrate that it is practical to allocate IP addresses to which stale DNS records point. Considering the ubiquity of domain validation in trust ecosystems, like TLS, an attacker can then obtain a valid and trusted certificate. The attacker can then impersonate the service, exploit residual trust for phishing, or might even distribute malicious code. Even worse, an aggressive attacker could succeed in less than 70 seconds, well below common time-to-live (TTL) for DNS. In turn, she could exploit normal service migrations to obtain a valid certificate, and, worse, she might not be bound by DNS records being (temporarily) stale. We introduce a new authentication method for trust-based domain validation, like IETF's automated certificate management environment (ACME), that mitigates staleness issues without incurring additional certificate requester effort by incorporating the existing trust of a name into the validation process. Based on previously published work [1]. [1] Kevin Borgolte, Tobias Fiebig, Shuang Hao, Christopher Kruegel, Giovanni Vigna. February 2018. Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates. In Proceedings of the 25th Network and Distributed Systems Security Symposium (NDSS '18). Internet Society (ISOC). DOI: 10.14722/ndss.2018.23327. URL: https://doi.org/10.14722/nd

Year	DOI	Venue
2018	10.1145/3232755.3232859	NDSS
Keywords	DocType	ISBN
Domain Name System (DNS), Transport Layer Security (TLS), Secure Sockets Layer (SSL), Certificate Issuance, Domain Validation, Certificate Authority, Automated Certificate Management Environment (ACME), Certificate Transparency, Cloud Computing, Misconfiguration, Trust-based Ecosystem, IP Address Re-Use, Use After Free (UAF)	Conference	978-1-4503-5585-8
Citations	PageRank	References
2	0.39	0
Authors
5

Authors (5 rows)

Cited by (2 rows)

References (0 rows)

Name	Order	Citations	PageRank
Kevin Borgolte	1	67	8.48
Tobias Fiebig	2	13	3.41
Shuang Hao	3	94	14.07
Christopher Kruegel	4	8799	516.05
Giovanni Vigna	5	7121	507.72

1