Internet trust is built on quite shaky foundations. Moving packets around to the correct computer that controls each IP address involves often no less than 3 large complex pyramids of trust: BGP, DNS and PKI. Any crack in any of these leads to the others crumbling.
Let's start with BGP, it works like this:
The DNS pyramid has the following components:
And the PKI pyramid has these:
We can compare these pyramids as follows:
You can easily see that BGP, the foundation, has enormous gaps. By exploiting BGP it is possible to compromise both DNS and PKI, despite all the current mitigations in place.
In particular, across all levels, there are significant gaps in
Administrative Controls, with fraudulent participants obtaining approval, Real-time Validation and Revocation, which barely works at the PKI level as it can't scale, Transparency Mechanisms, as both IP and domain asset owners can't control who makes security assertions about their assets, Man in the middle attacks due to poor Authentication mechanisms,
All these gaps result in poor security. For example the support for strong mutual authentication is poor, both in server-client and peer to peer applications. Deployments are complex, expensive and brittle.
In the next article we will explain how RODiT technology can help overcoming many of these challenges.
Top comments (0)