DNS/FCP/Brandt_abstractについて、ここに記述してください。
https://dl.acm.org/citation.cfm?id=3243790 · Proceeding CCS '18 Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security Pages 2060-2076
Toronto, Canada — October 15 - 19, 2018 ACM New York, NY, USA ©2018
The security of Internet-based applications fundamentally relies on the trustworthiness of Certificate Authorities (CAs).
We practically demonstrate for the first time that even a weak off-path attacker can effectively subvert the trustworthiness of popular commercially used CAs.
Our attack targets CAs which use Domain Validation (DV) for authenticating domain ownership; collectively these CAs control 99% of the certificates market.
The attack utilises DNS Cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own -- namely certificates binding the attacker's public key to a victim domain.
We discuss short and long term defences, but argue that they fall short of securing DV.
To mitigate the threats we propose Domain Validation++ (DV++).
DV++ replaces the need in cryptography through assumptions in distributed systems.
While retaining the benefits of DV (automation, efficiency and low costs) DV++ is secure even against Man-in-the-Middle (MitM) attackers.
Deployment of DV++ is simple and does not require changing the existing infrastructure nor systems of the CAs.
We demonstrate security of DV++ under realistic assumptions and provide open source access to DV++ implementation.