July 22, 2024

A Brief History of Multi-Perspective Issuance Corroboration

By Henry Birge-Lee, Grace Cimaszewski, Liang Wang, Cyrill Krähenbühl, and Prateek Mittal

“Multi-Perspective Issuance Corroboration” (or “MPIC”) is currently under discussion as an industry-wide standard by the CA/Browser Forum Server Certificate Working Group, and possibly by other Forum Working Groups in the future (i.e., the S/MIME Working Group). This is a promising idea that aims to mitigate the risk of equally-specific Border Gateway Protocol (BGP) attacks by validating domain ownership and the corresponding CA’s permission to issue from multiple perspectives spread across the Internet. Our group at Princeton is spearheading the development of this technology and is also offering an implementation of MPIC via the Open MPIC Project. This post summarizes the history of MPIC and our group’s research and development efforts on this technology. We aim to highlight our commitment to open-source contributions. We trust that MPIC will find valuable and diverse applications across various fields, and we look forward to witnessing the positive impact of open innovation.

Author’s note: The technology of using multiple perspectives spread across the Internet to reduce the risk of BGP attacks causing certificate mis-issuance has gone through several different names including: “Multi-Perspective Domain Validation”, “Multiple-Vantage-Point Domain Validation”, “multiVA”, “Multi-Path Validation”, and “Multi-Perspective CAA”. Even though many of the articles we cite used some of these previous names, we use MPIC for consistency given the standardization process ongoing within the CA/Browser Forum.

History of MPIC:

  • 2015: Artyom Gavrichenkov presented “Breaking HTTPS With BGP Hijacking” at Black Hat USA which theoretically introduced the vulnerability of the PKI to BGP attacks and discussed localized BGP attacks that affect only a portion of the Internet.
  • 2017:
    • Henry Birge-Lee et al. ethically demonstrated the vulnerability of the PKI to BGP attacks for the first time in the wild to obtain a bogus certificate in a demo at HotPETs ‘17. They were also the first to publicly introduce the concept of validating challenges from multiple network perspectives in their abstract for the talk which ultimately became known as MPIC. This paper also linked to the first ever published implementation of multiple vantage point validation which relied upon HTTP proxies connected over VPN tunnels to perform domain control validation at remote perspectives. Let’s Encrypt immediately announced plans to deploy MPIC the day of our HotPETS talk. This ultimately led to a collaboration between our group at Princeton and Let’s Encrypt to further develop and deploy MPIC.
    • Let’s Encrypt officially announced that Multi-Perspective Domain Validation was implemented in their codebase and enabled in their staging environment. Their implementation was different from the original implementation by Birge-Lee et al. in that it relied upon running validation code at remote perspectives. In their implementation the primary orchestrating perspective sends information including the domain name to be validated and the challenge information (path and expected value) to the remote perspectives which then initiate their own validation requests. The challenge information and the responses are all sent over encrypted gRPC tunnels which rely on mutually-authenticated TLS sessions.
  • 2018: Birge-Lee et al. published a paper at the Usenix Security Symposium that rigorously analyzed attacks (both theoretically and via real-world attack experiments) that an adversary can use to obtain a bogus certificate and developed a taxonomy of BGP attacks on the PKI. This paper used Internet topology simulations and data on 1.8 million domains to provide the first effort to rigorously quantify the vulnerability of domain validation to BGP attacks as well as the security benefits of Multi-Perspective Domain Validation against localized equally-specific BGP attacks.
  • 2020: Through the collaboration between Princeton and Let’s Encrypt, Let’s Encrypt finalized their production deployment of multi-perspective domain validation and enabled it on all ~1.5 million certificates they sign every day.
  • 2021: The Princeton and Let’s Encrypt collaboration lead to Birge-Lee et al. publishing “Experiences Deploying Multi-Vantage-Point Domain Validation at Let’s Encrypt” at Usenix Security ‘21 which detailed Let’s Encrypt’s deployment, studied the impact on benign certificate issuance, and showed the deployment improved security against ethically-launched real-world BGP attacks.
  • 2024:
    • Public discussion on Ballot SC-067 to incorporate MPIC into the TLS Baseline Requirements began.
    • The Open MPIC Project was launched to offer an API-based open-source implementation that can be easily deployed by any CA. Open MPIC provides the first implementation for non-ACME CAs and allows CAs to deploy MPIC in their own cloud provider accounts. This offers the benefits of a cloud deployment while allowing CAs to have full visibility and control of the code that is running MPIC. In the future we hope to work with interested parties to turn the Open MPIC API Specification into an RFC standard that can also be adopted by other MPIC deployments.

Conclusion:

Over several years, our group has supported the open development and research of MPIC, including MPIC design, implementation, and deployment.  In the spirit of open innovation, the MPIC contributions from our Princeton team have been given to the public domain. We hope that MPIC finds diverse applications across fields, and look forward to witnessing the positive impact of open innovation. In a subsequent blog post we will discuss our future vision and the details of the Open MPIC project.

Speak Your Mind

*