Black Hat USA: Downgrade attack against Let’s Encrypt lowers the bar for printing fraudulent SSL certificates

Security shortcomings in the mechanism used by Let’s Encrypt to validate web domain ownership create a loophole that allow cybercriminals to get digital certificates for domains more easily.

A team of researchers led by Haya Shulman, director of the Cybersecurity Analytics and Defences department at the Fraunhofer Institute for Secure Information Technology in Germany, discovered a hacking technique that allowed them to circumvent Let’s Encrypt domain validation technology.

Let’s Encrypt is a non-profit certificate authority that provides domain owners with SSL certificates, which are used to authenticate sites using HTTPS.

The organization’s distributed domain validation technology, introduced in February 2020, is response to earlier attacks, is designed to thwart manipulator-in-the-middle attacks.

Shulman and her team showed that the technology was vulnerable to a form of downgrade attack, partly because the way “vantage points select the nameservers in target domains can be manipulated by a remote adversary”.

Another weakness of the technology is that vantage points are selected from a small, fixed set.

The research was presented during a session at the Black Hat USA conference on Wednesday (August 5).

Fake it ‘til you make it

The downgrade attacks act to undermine a system with “multiple vantage points to multiple nameservers” by reducing it to “multiple vantage points to a single attacker-selected nameserver”.

In tests, the researchers found that attackers were able to launch attacks against one in four (24.53%) of domains.

An automated off-path attack developed by the researchers and targeting this vulnerable sub-set of domains succeeded in obtaining fraudulent certificates for more than 107,000 domains, around one in 10 (10%) of the one million tested domains.

The researchers also evaluated the effectiveness of their attacks against other leading Certificate Authorities, discovering that the techniques that they had developed had stripped away the security advantages that Let’s Encrypt would otherwise have enjoyed.

NOTE:: This is article is copyright by portswigger and we are used it for education or information purposes only.

Click Here to visit the official store of PortSwigger in Pakistan