DNS and PKI. Two of the most centralized services in the Internet. Take over both of them, and you have the whole net under your command.
DNS and PKI. Two of the most centralized services in the Internet. Take over both of them, and you have the whole net under your command.
Good that at least BGP is secure.
Might want to add /sarc just in case someone believes it :-)
Just DNS. If you take over DNS, you can get Let's Encrypt to issue any certificate you want.
There are situations [1] where you could reliably BGP-hijack the IP prefix of the target domain authoritative nameserver, and obtain your own domain-validated cert for the target (by effectively controlling the zone file contents). And yeah, CAs do have their BGP protections, but still there's at least partial assumption BGP is secure enough to run DNS-based validation for new SSL certs, in our world where DNSSEC is still rare.