Selected Publications

This paper identifies a powerful attack where an adversary leverages vulnerabilities in BGP to gain publicly-trusted TLS certificates. This attack can lead to the impersonation of HTTPS websites and was later exploited to steal millions in cryptocurrency. This paper also introduced the countermeasure that is now known as Multi-Perspective Issuance Corroboration (MPIC) and protects the issuance of all digital certificates today.

This paper analyses the vulnerability of millions of HTTPS domains to cross-layer attacks using a real-time global infrastructure. The paper presents insights from advanced BGP attack simulations and geographically-distributed full-graph DNS lookups from millions of domains from Let's Encrypt logs.

This paper details the deployment of Multi-Vantage-Point Domain Validation (now known as MPIC) at Let's Encrypt, the world's highest-volume web PKI CA. The innovations presented in this paper established the groundwork that allowed the entire industry to use MPIC later on.

This paper outlines a cutting-edge network attack that can affect critical network resources like Tor nodes or HTTPS while evading detection by state of the art monitoring. This paper also discusses countermeasures for the networking community to help protect against those attacks.

This paper leverages the security of the SCION next generation Internet architecture to provide improved routing security and protect core systems against cyber attacks. The paper uses the federated SCION network as an underlay to securely carry Internet traffic as close to its destination as possible.