Comment on Attackers exploit fundamental flaw in the web’s security to steal $2 million in cryptocurrency by Henry Birge-Lee

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

In reply to Phill Hallam-Baker.

Thank you for your comment and for your contributions to the development of the web PKI. We do feel this is a fundamental flaw in the trust the certificate authorities place in the routing infrastructure. Domain validated certificates inherently rely on demonstrating control of web services that are validated through the network. BGP attacks that manipulate network routing can directly interfere with this validation process.

With that in mind, this particular attack could have been prevented by improved web development practices and overall security improvements to the KLAYswap system, as you discussed. Had KLAYswap not loaded any external javascript, developers.kakao.com would not have been a viable attack target for compromising KLAYswap. That said, even if no external javascript code was loaded, the adversary could have changed its target to KLAYswap’s own domain and used that to serve malicious content. In addition, even if cryptocurrency services reduce their reliance on the PKI, many other applications use the PKI to secure critical systems and are also vulnerable to this attack.

As indicated in your comment, we also agree that improvements are needed across many different layers including the PKI and routing infrastructure. More rigorous validation processes like multiple vantage point validation and improved routing security can substantially reduce the damage and viability of attacks like this. We plan to cover some of these topics in a followup blog post that we are currently working on.

Read more

Explore the site

More from the blog

Latest News