Mitigation against spoofed web certificates

The improved version of Domain Validation (dv++)

A Fraunhofer SIT research team, consisting of Markus Brandt, Tianxiang Dai, Amit Klein, Dr. Haya Shulman and Prof. Dr. Michael Waidner, has found a way to issue fraudulent website certificates. These certificates are used to ensure trustworthiness of Internet domains. A research paper describing the details of this attack as well as a possible mitigation will be presented at the ACM Conference on Computer and Communications Security (ACM CCS) in Toronto, Canada, in October 2018.

Certificates are issued by so-called Web CAs, and virtually all popular Web CAs are using a method called Domain Validation (DV) to verify a web site’s identity before issuing a certificate to that web site. The team demonstrated that Domain Validation is fundamentally flawed, and consequently attackers could trick many Web CAs into issuing fraudulent certificates.

A cybercriminal could use this attack to obtain a fraudulent certificate, e.g., for a popular online retailer, set up a web site that perfectly mimics that online retailer’s store, and then phish usernames and passwords. The weakness in the Domain Validation can be exploited with nothing more than a laptop and an Internet connection.

As a mitigation the researchers developed an improved version of DV, called DV++, which could replace DV without any further modifications and which is provided free of charge. Domain Validation++ is a distributed domain ownership verification aiming to prevent identity theft. This is done by comparing the result of multiple servers on the internet which perform the validation.

It consists of two parts: the agents that perform the validation of a given domain and the orchestrator that coordinates the validation by sending validation requests to all agents and verifying the result.

You can download DV++ here: