The impact of MitM attack

[Jin Tong]

Hello everyone,

I'd like to discuss the potential impacts of a man-in-the-middle (MitM) attacker after a fraudulent certificate is issued. I hope someone can provide answers or recommend relevant materials addressing these questions:

1. After a fraudulent certificate is discovered, how long does it typically take to remove the fraudulent certificate and the associated CA to eliminate potential MitM attacks?

2. State-level MitM attacks often involve hijacking critical network nodes, suggesting such attacks typically exhibit geographic characteristics. Is it reasonable to assume that for most countries or regions, at least one victim node would escape the compromised environment within a day (e.g., by using a VPN or relocating their physical location)? If not, what would be a more accurate timeframe?

Sincerely looking forward to your reply,
Jin Tong

[Schoo W3]

Sei I do my best to fix any measure. 

[Henry Birge-Lee]

Hi Jin and community,

I can provide some perspective on this. I am a security researcher (formerly Princeton University) and I have been involved in threat investigations related to PKI MITM (similar to the Klayswap attack ), I wrote two CA/Browser Forum ballots that directly addressed the MitM threat to the PKI (MPIC and DNSSEC ballots which are now part of the baseline requirements), and I have done some work on nation-state censorship/interception behavior (e.g., https://arxiv.org/abs/2304.01073 ) (see https://henrybirgelee.com/ ).

Regarding 1: A long time (if ever). Actually mitigating the MitM risk from a fraudulent certificate is a multi-step process and each step has a high error rate. First the fraudulent certificate and attack needs to be detected. This is often the longest and most difficult step even with CT. I am aware of many attacks where either because of inaccurate root cause analysis or the victim's desire to not make the attack publicly known, the certificate in question simply expires (i.e., is never revoked). Even when a certificate is revoked, it is often long after actual issuance because someone is poking around CT logs. If we take CloudFlare's recent 1.1.1.1 certificate issue for example (see https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc ), this certificate was signed in May 2025 and not revoked until September 2025 ( see https://crt.sh/?id=18603461241 ). This example comes from one of the highest-profile TLS use cases in the world run by a major cloud provider, so it's reasonable to assume smaller cases are going undetected. Another sample of interest is the certificate involved in the Klayswap attack ( https://crt.sh/?q=6097052179 ). This is one of the cases where threat intel correctly identified the attack in a timely manner and the victim took preventative action. The fraudulent cert was still valid from Feb 3 to Feb 8 2022 ( 5 days). CA removal is a different story and has more to do with the CA's specific behavior or with regard to the CA/Browser Forum Baseline Requirements than simply the presence of a misissued certificate. Sectigo (the CA that signed the Klayswap cert) is still trusted because this cert was signed per CA/B guidelines and Sectigo implemented the appropriate checks during domain validation. The 1.1.1.1 cert is a different story. Regardless, CA removal is a much longer much slower process than cert revocation and requires an incident report and investigation into CA behavior (i.e., it is not an immediate reaction to a known attack cert).

Regarding 2: I would say it depends on the nation state and how extensively the fraudulent certificate was used for interception. Some nation states block VPNs and some populations are less likely to leave the country in a short timeframe (e.g., rural). If a nation-state targeted a MitM attack at specific subpopulations which were not likely to leave the country, I would personally feel it could take much longer than a day. Perhaps targeting of journalists or tourists would see subjects leaving the area affected by the MitM on a more frequent basis. I should note that there is no guarantee that a nation-state MitM is regional. Many nation states have unfiltered BGP routers at their top ISPs and can launch a global interception against many prefixes (e.g., Pakistan youtube incident), although this type of attack has significantly more implications in international politics than an internal attack within the nation.

(shameless plug) If you know an organization that is concerned about PKI MitM attacks, I am CEO of a company that specializes in detecting and preventing these types of attacks: https://www.crosslayerlabs.com/

Let me know if that information is helpful.

Best,

Henry

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2177e84b-e4a5-42bb-8782-56044ee09993n%40mozilla.org.

[Jin Tong]

Hello Henry,

Thank you very much for your patience in clarifying this matter.

We appreciate your correction of my misconception. We have also noted the significant difference in processing times when mainstream browsers remove trust for DigiNorta and Symantec CAs. It is indeed unrealistic to equate handling man-in-the-middle attacks with removing trust for misissued CAs.

Additionally, regarding the MitM attacker's network control capabilities, we'd like to clarify one point. If an attacker (perhaps fearing condemnation or for other reasons) wishes to launch a low-profile attack, would this limit the scope or duration of their network hijacking?

Once again, thanks for your generous insights.

Best,

Jin Tong