Ubiquitous support of multi path probing: Preventing man in the middle attacks on Internet communication

Digital certificates issued by certification authorities (CAs) which are part of the Web Public Key Infrastructure (Web PKI) are the indispensable basis for secure communication on the Internet. The certificates are used in TLS to authenticate web servers. However, as past incidents have shown, CA failures and the issuance of malicious certificates threatens the security of communication, as it allows for man in the middle attacks (MitM) and server impersonation. All known mitigations so far are only niche solutions having their own weaknesses and problems which prevented a wide deployment. Thus, additional methods must be natively supported by common web servers to mitigate threats imposed by CA failures. We propose to integrate multi path probing of certificates as a fundamental mechanism into the web infrastructure. This enables the reconfirmation of certificates whenever their authenticity is in doubt. We describe how this can be realized with minor efforts and without infrastructural changes, while the overhead arising from these reconfirmations can be kept at a small rate.