Evaluating Resilience of Domains in PKI

Domain Validation of PKI, allows to verify ownership over domains and poses the basis for cryptography. A number of recent attacks led to efforts to enhance the security of domain validation by improving the resilience of the vantage points used by the certificate authorities. In this work we measure the resilience of the domains to attacks. We show that even when the certificate authorities are secure, the domains introduce a weak link in the PKI ecosystem. Our simulations with a dataset of 2.3M popular Internet domains shows that 50% of the targets are vulnerable, allowing the network adversaries to issue fraudulent certificates even when the more secure distributed domain validation is used. Through Internet measurements we discover that the factors for such a large attack surface include the topological location of the domains, network prefix configuration of the vantage points. Importantly, our work shows that not only the vantage points have to be secure, but also the domains' resilience has to be enhanced.