Free Trial
Contact Us
Podcast

Root Causes 327: What Is Multi-perspective Domain Validation? (MPIC)

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
August 18, 2023

In this episode we explain Border Gateway Protocol (BGP) attacks and how multi-perspective domain validation (MPDV, also known as multi-vantage point domain validation - MPIC) can defeat them.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanToday, we want to define what is multi-perspective domain validation. So this is a new thing that is picking up steam but maybe before we get there, why don't we start with why multi-perspective domain validation even is a discussion we're having, which is to say let's start with what is a BGP attack?

So Jason, BGP, which stands for Border Gateway Protocol, what is BGP attack?
Jason SorokoJason SorokoBasically, isn't it magic, Tim, that when you type in an address into your browser, or you pick up your phone, your smartphone, and you access some app, it just goes over the internet and it very quickly downloads what you want and back it comes. So, fantastic.
Tim CallanTim CallanFind some server somewhere in the world that physically exists somewhere, finds the right server and gets the right stuff. It's mind blowing. It always has been to me.
Jason SorokoJason SorokoMind bogglingly mind boggling. And I remember back in the 1990s, this is old fogy talk here, just, I couldn't wrap my head around just how quickly that these routings were happening and the intelligence level. Because I was always thinking about things geographically. I wasn't thinking about things from a networking level. It just wasn't native in my head back when I was first starting to think about this. But now, of course, everybody kind of takes it for granted. And the reason why we have to actually talk about this on this podcast, because it's not intuitively obvious. So Border Gateway Protocol, I'm gonna give the folks at Cloudflare a little bit of credit here, if you go to their page about BGP, their explanation is really, really good in the sense that they have an analogy, Tim. Think about, in your state, right, the state, the United States where you live, and there is a uniform set of signage on your highways. And who came up with that? Well, it was the state. It wasn't just the town that you live in or whatever. Like if you're on any of the highways, if a sign says, hey, exit here to destination X, Y, Zed, you can pretty much trust that that's where you're going to end up if you take that exit on the highway.

Well, don't forget, the internet is decentralized. And so the off ramps, the analogy to the off ramps on the internet to get to your location as you're traveling down the intertubes, well, those exit signs are decentralized, and there is no state authority to be able to determine exit here in order to get to this particular IP address, as an example. And so BGP is the routing protocol that provides the directions. We could get into real technical mumbo jumbo here, but part of the reasoning that you need BGP is because of the scalability of the internet. If you think of the analogy of the highway, well, not too many new highways are built on a daily basis, but think about how many new routes on the internet are created on a daily basis? A ton.

So BGP is a way to be able to quickly create signage. I'll stick with that analogy. Quickly be able to create that signage so that the intention is to allow the Internet to grow and to change and be very dynamic, so that all the routings can be figured out and announced to one another in nearly real time, which is an incredible achievement of human intellect that I think we should all be very proud of. The internet really is an amazing invention. However, however, think like a bad guy for a moment.
Tim CallanTim CallanYou used the word announced there. I think that's important.
Jason SorokoJason SorokoYes. What happens if you're the bad guy, you know, a bad guy, and for some reason, you want people to take a wrong off ramp? Well, you change the signs. Think of Wile Coyote. Ok, Tweety Bird go down this off ramp and go to my trap. It's literally that. So instead of a sign, instead of like a physical sign, obviously on the internet, it is essentially an announced change of, hey, this is the correct routing, if you want to go here, and then all other systems - because it's decentralized - all the other systems that keep in mind the routing, listen to those announcements, and then make those changes on behalf of the announcer.
Tim CallanTim CallanNow, because these are rogue announcements though, Jason - correct me if I'm wrong - they are non-ubiquitous. So I can start to announce a false announcement and there will be, for want of a better word, I'll say a local zone of internet traffic will be tricked into my bad road signs but other people in other zones will not be. Correct?
Jason SorokoJason SorokoYes.
Tim CallanTim CallanSo it's kind of a checkered result.
Jason SorokoJason SorokoIt is. It’s not complete. It's not like the entire internet all of a sudden would be able to be misrouted.
Tim CallanTim CallanAnd this is very important.
Jason SorokoJason SorokoThat is very important to how you solve the problem. Because of that weakness of the attack, if the whole point of domain validation is to say, all right, I own this domain and I'm going to use, say, a DNS based validation to do my DCV, which basically means I have to go into my DNS records, I put in a little token that has been given to me by my CA, and then when the CA double checks the DNS record, and they find that token, they know that well, you must you must be in possession of that domain. Therefore the DCV will check. If you're doing a single perspective domain validation check, then you're essentially using the announced BGP routings in order to be able to get to that domain. And so the assumption is made, well, then it must be the truth if I've got to this domain. But the bad guys, of course, using this kind of attack, can actually fool a CA unbeknownst to the CA to say, hey, the actual address to this domain is over here. A domain that I am maliciously in control of and so to make you think that I’m in possession of the domain.
Tim CallanTim CallanSo, I as the CA, if I am subject to a BGP attack, then these rogue announcements caused me to look at the wrong place and so you come in as a certificate requester requesting a certificate for a domain you don't actually own. You use a BGP attack. So I send you a secret, you put the shared secret in HTTP on the wrong address, and you use a BGP attack to misdirect me to that place. I see the shared secret and now the whole process is complete. And I say, ah-ha. I have established indeed your ownership of that domain, because you had the shared secret, therefore, I can issue you a certificate. So now I've given you a certificate for a domain name that you don't actually control. And this is the worry?
Jason SorokoJason SorokoSo Tim, let's extremely oversimplify this, just to make sure everybody listening gets it. Let's stick with that highway analogy - just bear with me for a moment. Let's say, Tim, you're the CA. I'm the domain owner. And I say, hey, Tim, can you please validate the fact that I'm this domain owner, and you're gonna say to me, Jay, no problem, here is a secret. ABC123.
Tim CallanTim CallanHere’s a shared secret. Hang it on your doorstep.
Jason SorokoJason SorokoHang it on your doorstep. And then I say got it.
Tim CallanTim CallanI'll drive by and see if it's there.
Jason SorokoJason SorokoI'm gonna drive by and make sure that that's on your doorstep and you are going to follow the road signs to me and let's say everything's valid. You're gonna get to me, you're gonna see my token, and then you're going to give me my domain validation. That's in the perfect world. In the case of a BGP attack, somebody will have changed one or more of the road signs, you will go to a different person’s address.
Tim CallanTim CallanI drive to the wrong street in the wrong neighborhood. I see the secret hanging on your doorstep where you've told me it's going to be and I say, ok. This is legit.
Jason SorokoJason SorokoIn that case, I'm me as the valid domain owner, I'm not the one who requested the domain validation. The Domain validation is being requested by third party person X, the person who is wearing the ski mask and is nasty and, all the stereotypes. And that person has requested hey, Tim, I own Jason Soroko dot whatever domain and can you please validate that you're like, yeah, sure. I have no idea who you are but if you hang this secret on your doorstep, I will validate you. And so instead of going to the real domain, the road signs will change, you will go to their address and go yep, you're validated. Thank you.
Tim CallanTim CallanAnd so some interesting academic work has been done on this in the last year or two, showing that this is actually really viable. I'm not sure we're seeing these attacks in the wild much but definitely researchers have demonstrated unambiguously that this is a viable thing that could really be done.
Jason SorokoJason SorokoCorrect. And that's why is what has to be addressed and that's what multi-perspective domain validation is about.
Tim CallanTim CallanAnd that's all in the word, isn't it? Multi-perspective domain validation. So the general idea is simple. What's the basic idea, Jason?
Jason SorokoJason SorokoSo, Tim, rather than you in one car driving to my address, the problem, as we stated, the problem with the attack is that it is somewhat localized – or really should say it is localized in the fact that you can't really - - these announcements don't go to the entirety of the internet. So therefore, if you were to take different routes to my address, if you were to drive down highways from Asia, and from Latin America and for North America, like the analogy starts to break down when you talk about it like that, but you get the idea. If you sent a car from all those addresses, and all of the totality of all the road signs that needed to be seen to get to the actual location, obviously, if you get a different result of the ownership of domain, then first of all you have a problem and therefore you don't give validation based off of the fact that you found inconsistencies within the essentially what is - - the reason why they say multi-perspective is because each of the DCV checks each have their own perspective on the BGP routing, which essentially defeats the attack.
Tim CallanTim CallanAnd sometimes they call it multi-vantage point domain validation. Which gives you - also kind of indicates the same thing. It's coming from different vantage points. And so that gets around it. So what you do is you launch a bunch of these different, I don’t know what you want to kind of say. You go and look for multi different vantage points, which can be easily achieved. You can connect to a service or operate a service that's just geographically remote or in some other way, virtually disconnected. And in so doing, you can actually get a different BGP landscape and it's not really practical to change all the signs to go to your earlier analogy.
Jason SorokoJason SorokoIt’s not practical. Exactly, exactly. So thank goodness that the BGP attack has limitations, and the solution is fairly elegant in that it doesn't require us to throw out the baby with the bathwater in terms of how we do DCV. What it means is that CAs need to use a multi- perspective approach in order to be able to validate a domain.
Tim CallanTim CallanAnd this also has been validated by researchers. We also have seen academic researchers who have set up BGP style attacks within somewhere they can control it and in an ethical way, have then turned around and used multidomain DCV to see what happens and indeed, it really does defeat the attack, because you can't change all the signs.
Jason SorokoJason SorokoIt's a happy thing that research found the problem and research also solved the problem, which is really good. I'm so glad that this wasn't a Black Hat talk talking about how half the CA usage of the world was screwed up for a year and then goodness knows what happens to our industry. This was just good research, and getting down into the old forgotten bowels of the miracle of the internet, which is how it is dynamically routed. It truly is a miracle.
Tim CallanTim CallanIt's great. Let's talk about where this stands. This is pretty new thinking in general in the grand scheme of things. First of all, there is not a widespread prevalent spate of real world BGP certificate CA attacks today. So it's not like this as a bleeding wound kind of problem, as you’ve said.

It also is not really as yet built into any of our real standards. So there's no requirement from CA/Browser forum, or ETSI, or any of the major root programs that DCV be conducted this way. If public CAs are doing DCV, multi-vantage DCV or not, they are doing it without talking about it. So we can't say the degree to which this is actually used in the real world today, but my money is mostly not used if I had had to make a prediction.

And so one of the other things that we've seen as this has started to show up as a topic of conversation and again, we're not at the point where there's a ballot looming or anything like that, but we're seeing this being discussed in places like those standards bodies. We're seeing it being discussed on places like MSDP. We're seeing it being discussed by people like root programs and public CAs and so I feel like this is the direction the wind is blowing, and I predict that we're going to hear more about this topic and that somewhere down the road, this is going to become first an accepted standard and then eventually a hard requirement. And I do think that's the direction that these things are going.
Jason SorokoJason SorokoAnd it's good because I'm so glad that it wasn't foisted on us by known attacks. I'm so glad it was discovered in research, and I think you're right, Tim, that it probably will become a hard requirement because I think it's the right thing to do for the CAs. I think logic tells us that and I think you'll see that just happen.
Tim CallanTim CallanIt’s an engineering project. I mean, it's not like you don't just snap your fingers, and it's done. So part of it, of course, is all of these things need to be figured out and tested and vetted and implemented, and then you implement it, and it doesn't do what you expect, and you find the bug. And so it's not like, there is work to get there for sure, but I do feel this is the direction we are going.
Jason SorokoJason SorokoIn this case sometimes when we talk about these bigger topics on this podcast, it's work that the consumers have to do. The consumers of PKI, the consumers of certificate lifecycle management. In this case, it's going to be a lot more behind the scenes to those customers.
Tim CallanTim CallanIt’s gonna be on the CA side. I predict that the average subscriber is not going to perceive any difference.
Jason SorokoJason SorokoThat's it. But that's why we are talking about this. So if you happen to sniff this out, you're reading about it, you're wondering if the CAs are thinking about or talking about it - Well, you heard it here first.
Tim CallanTim CallanYep. Exactly. So we'll keep our eyes on this. If in the future, this gets more legs or if it gets a CA/Browser Forum ballot or things along those lines, we’ll definitely return to it. For now, it's an industry trend. It's something that's probably coming and you ought to know about it. So there you go.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud