Please use this identifier to cite or link to this item:
http://arks.princeton.edu/ark:/88435/dsp012f75rc14s
Title: | Experiences Deploying Multi-Vantage-Point Domain Validation at Let’s Encrypt |
Authors: | Birge-Lee, Henry |
Advisors: | Rexford, Jennifer |
Department: | Computer Science |
Class Year: | 2021 |
Abstract: | An attacker can obtain a valid TLS certificate for a domain by hijacking communication between a certificate authority (CA) and a victim domain. Performing domain validation from multiple vantage points can defend against these attacks. We explore the design space of multi-vantage-point domain validation to achieve (1) security via sufficiently diverse vantage points, (2) performance by ensuring low latency and overhead in certificate issuance, (3) manageability by complying with CA/Browser forum requirements, and requiring minimal changes to CA operations, and (4) a low benign failure rate for legitimate requests. Our open-source implementation was deployed by the Let’s Encrypt CA in February 2020, and has since secured the issuance of more than half a billion certificates during the first year of its deployment. Using real-world operational data from Let’s Encrypt, we show that our approach has negligible latency and communication overhead, and a benign failure rate comparable to conventional designs with one vantage point. Finally, we evaluate the security improvements using a combination of ethically conducted real-world BGP hijacks, Internet-scale trace route experiments, and a novel BGP simulation framework. We show that multi-vantage-point domain validation can thwart the vast majority of BGP attacks. Our work motivates the deployment of multi-vantage-point domain validation across the CA ecosystem to strengthen TLS certificate issuance and user privacy. |
URI: | http://arks.princeton.edu/ark:/88435/dsp012f75rc14s |
Type of Material: | Princeton University Senior Theses |
Language: | en |
Appears in Collections: | Computer Science, 1987-2023 |
Files in This Item:
File | Size | Format | |
---|---|---|---|
BIRGE-LEE-HENRY-THESIS.pdf | 989.3 kB | Adobe PDF | Request a copy |
Items in Dataspace are protected by copyright, with all rights reserved, unless otherwise indicated.