Login Apply
Login Apply

Securing Domain Validation

This project secures Internet domain validation against attackers that manipulate Internet routing via Border Gateway Protocol (BGP) hijack and interception attacks.

The Public Key Infrastructure protects users from malicious man-in-the-middle attacks by having trusted Certificate Authorities vouch for the identity of servers on the Internet through digitally signed certificates - usually displayed to users on their Internet browser via a small padlock icon near the address bar. Ironically, the mechanism that Certificate Authorities use to issue certificates (domain validation) is itself vulnerable to man-in-the-middle attacks by network-level adversaries.

This project analyzed the attack surface of domain validation against BGP-based attacks, designed countermeasures to secure domain validation protocols, and deployed them in real-world production systems such as Let's Encrypt and Cloudflare. This provides protection from these attacks to hundreds of millions of websites around the globe.

In order to protect domain validation from BGP attacks, the project also worked on a more secure domain validation protocol - multiple vantage point validation. Using multiple vantage point validation, a CA validates a domain from multiple diverse vantage points spread throughout the Internet. This ensures the CA has a global view of Internet routing and prevents the CA from falling victim to BGP attacks that often only affect a portion of the Internet. The project has deployed and rigorously verified the effectiveness of multiple vantage point domain validation at the world’s largest certificate authority (Let’s Encrypt).

Get the word out

Funding to date

2018 $300,000.00 12 months
Internet Freedom Fund
2021 $150,000.00 10 months
Internet Freedom Fund

Total Funding: $450,000.00

We wrote about it

Your cookie settings

This website deploys cookies for basic functionality and to keep it secure. These cookies are strictly necessary. Optional analysis cookies which provide us with statistical information about the use of the website may also be deployed, but only with your consent. Please review our Privacy & Data Policy for more information.