Traditional verification methods depend on DNS looks, http challenges or email verification, which all depend on proper internet routing. The underlying reduction of BGP’s security control creates an opportunity for traffic kidnapping.
“When a CA conducts a domain control check, it assumes that he sends traffic that is reaching the right server,” Sharkov said. “But this is not always true.”
Results are important: Certificates received from fraud enable the website replication and potential encrypted traffic blockage.
How open mpic works
Open MPIC framework implements a direct but effective safety principle: check the same verification data from many uneven places on the Internet.
“Fix is less dependent on the certificate verification on any one route,” Sharkov explained. “Instead of validating a domain from single network space, MPIC needs to check CAS with multiple, geographically diverse convenience points.”
This approach enhances the work required for successful attacks, as an attacker will need to compromise routing for several geographically diverse convenience points simultaneously. For example, if an area is misled by BGP kidnapping, other discrepancy can catch and prevent the certificate from being issued.
