Downgrade attack against Let’s Encrypt lowers the bar for printing fraudulent SSL certificates

guest · Aug 6, 2021

Black Hat USA: Downgrade attack against Let’s Encrypt lowers the bar for printing fraudulent SSL certificates
German researchers circumvent key web security mechanism
August 6, 2021
https://portswigger.net/daily-swig/...-bar-for-printing-fraudulent-ssl-certificates

Security shortcomings in the mechanism used by Let’s Encrypt to validate web domain ownership create a loophole that allow cybercriminals to get digital certificates for domains more easily.

A team of researchers led by Haya Shulman, director of the Cybersecurity Analytics and Defences department at the Fraunhofer Institute for Secure Information Technology in Germany, discovered a hacking technique that allowed them to circumvent Let’s Encrypt domain validation technology.
Click to expand...

Shulman and her team showed that the technology was vulnerable to a form of downgrade attack, partly because the way “vantage points select the nameservers in target domains can be manipulated by a remote adversary”.
Another weakness of the technology is that vantage points are selected from a small, fixed set.
Click to expand...

In tests, the researchers found that attackers were able to launch attacks against one in four (24.53%) of domains.

The researchers also evaluated the effectiveness of their attacks against other leading Certificate Authorities, discovering that the techniques that they had developed had stripped away the security advantages that Let’s Encrypt would otherwise have enjoyed.
Click to expand...

Log in or Sign up

Downgrade attack against Let’s Encrypt lowers the bar for printing fraudulent SSL certificates

guest Guest

Log in or Sign up

Downgrade attack against Let’s Encrypt lowers the bar for printing fraudulent SSL certificates

guest Guest

Useful Searches