Like much of humanity, Henry Birge-Lee simply wanted to visit YouTube. Yet his high school in Los Angeles had blocked classroom computers from visiting the site on the grounds that it posed a non-educational distraction — a hardly baseless accusation, as evidenced by YouTube’s millions of cat videos.
The experience got Birge-Lee interested in how network security manages the complex, occasionally treacherous interface between computers and the internet. It turned out he had a knack for the craft. His high school computer science team went on to win a national championship at CyberPatriot, a security competition held by an aerospace education nonprofit.
Now as an undergraduate student at Princeton, Birge-Lee has continued his streak. He is part of a research team that has pioneered a protection against potential cyberattacks that a major internet security firm has already begun rolling out.
The project focuses on “digital certificates.” These electronic documents allow for secure, private communications between a user’s computer and an online site. Cybercriminals have methods for obtaining fake certificates, however, that trick users into sharing sensitive information. In their project, Birge-Lee and colleagues demonstrated a new and harder-to-detect form of this subterfuge; and then they demonstrated new countermeasures to protect against it.
“To go from taking college classes to contributing to ongoing research has been incredibly exciting,” said Birge-Lee, who is majoring in computer science and is slated to graduate in 2020. “It has made me feel that my ideas are valued and that there is hope to make a difference even when faced with a very challenging problem.”
Birge-Lee learned about digital certificates in a class taught by Prateek Mittal, an assistant professor of electrical engineering and an associated faculty member in computer science. In chats about the coursework, Mittal recognized that Birge-Lee had the germ of an idea for understanding the vulnerability of certificate issuance, and securing its design. Mittal encouraged Birge-Lee to develop the idea through an independent research course in the 2017 spring semester and in his lab over the summer. Birge-Lee also collaborated with Princeton graduate students Yixin Sun and Annie Edmundson, receiving additional guidance from Jennifer Rexford, the Gordon Y. S. Wu Professor in Engineering and chair of the computer science department.
Shortly before submissions were due for the security and privacy conference HotPETS (Hot Topics in Privacy Enhancing Technologies), Mittal suggested it would serve as a good forum for showcasing Birge-Lee’s research. Asked to do a live demonstration during the July conference in Minneapolis, Birge-Lee was a bit on edge. But at the conference, everything clicked on the first go. The demo was so successful that the conference organizers awarded Birge-Lee the prize for best presentation.
“Henry and his collaborators are really getting hands-on experience serving at the front lines of cybersecurity with this project,” said Mittal. “I’m proud of their work and how it’s already having a significant impact.”
In everyday online transactions, computers vet each other, based on digital certificates issued by trusted third-party companies, known as certificate authorities. Although the certificates can be read, they are cryptographically signed so their content cannot be edited. Website owners request digital certificates from these companies, which then validate the website in question by verifying that the owner legitimately controls its domain name. A user’s computer, having seen the validly issued digital certificate, accordingly establishes a confidential connection for transmission of personal data, such as credit card numbers.
Would-be malefactors can hijack this certification process. One method is by presenting a longer, more specific Internet Protocol (IP) prefix. Shorter prefixes indicate more general, higher-level networks — the interstate highway systems of the internet, so to speak — while longer IP prefixes are for subnetworks, like the streets in a neighborhood.
“Our adversaries in the online world could use the insecure routing infrastructure to falsely gain a certificate,” said Birge-Lee. “And once an adversary has the certificate, it has gained the user’s trust and can abuse that trust in any way it sees fit.”
Although commonplace, this kind of attack is crude and usually discovered fairly quickly because the victim’s site experiences a sharp decline in traffic. But Birge-Lee and colleagues realized that a clever cybercriminal could forward the traffic routed through the bogus certificate’s computer to the victim’s original site, with the victim not knowing this “man-in-the-middle” attack is stealing valuable information from its customers.
The Princeton researchers developed two ways to thwart the digital skullduggery. The first relies on the fact that certificate authorities typically use only one of their own servers to verify a website’s legitimacy. If certificate authorities were instead to adopt a multiple vantage point check, involving small programs running on servers spread throughout the internet, a hijacked route pulling traffic away from the victim’s bona fide site would be readily detectable. That is because attackers sometimes focus their attacks on a single area of the internet, so computers located in other areas would easily detect changes in traffic from their vantage points.
A second countermeasure zeroes in on how routers connecting computers to the internet talk to one another. When a router goes offline or is modified in some way, an automatic announcement is sent out to inform other routers regarding redirection of traffic to a destination. The researchers proposed that certificate authorities check when routes were last updated before issuing a certificate as a possible way to identify suspiciously new routes and perform additional due diligence.
Early in the project, the Princeton team sought input from one certificate authority, Let’s Encrypt, to validate their approaches. The San Francisco-based nonprofit provided feedback, began its own internal development, and after Birge-Lee’s presentation, announced that it will implement the multiple vantage point countermeasure.
"We greatly appreciate the research done by Professor Mittal's group at Princeton,” said Josh Aas, co-founder and executive director of Let's Encrypt. “It has helped to clarify an important part of our threat model. In response, we'll be deploying mitigations that will protect many millions of websites.”
Aas added that the new mitigations from Birge-Lee, Mittal and colleagues will hopefully become industry-standard in the future.
In the meantime, the Princeton team plans to continue developing the routing update method. Birge-Lee, also is eager to take on new projects exploring the ever-evolving threat landscape to internet security.
“Every internet security concept that we consider commonplace today was once just an idea in the ongoing conversation that is academic research,” said Birge-Lee. “We are all thrilled here at Princeton to be taking part in that conversation.”