> A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.

But with HTTPS, they wouldn't be able to actually pose as another website, just delay/black hole the request so it doesn't reach its goal target, right? From the figure, it makes it seem like a person can use BGP to spoof a website and make a user visit a phished website, but that's not right, correct?

BGP attacks have nothing to do with spoofed peers. They have to do with accepted peers behaving maliciously in terms of the AS Paths they advertise.

Once you control BGP you control any IP and can subvert certificate issuance that effectively uses IP to validate certificate issuance requests. For example anything that relies on a file or dns at a specific IP. Once you have done so, you ARE the site, no matter what HSTS says.

We’ve tried to solve this problem a few times with certificate pinning (dangerous) and more recently just giving up and using certificate transparency to try and mitigate the blast radius by hoping the duration can be curtailed. The whole system is incredibly fragile.

As an aside, BGP should move over to TLS (not https, http is a terrible protocol for this) for other reasons (it’s a better option than tcp aom/md5). That this is not already the case should inform people’s opinion of where this stuff is on the security timeline.

You can use BGP hijacks to spoof another website.

You just need to get a publicly trusted CA to mint a certificate for your new site.

This can be done, for example, with let’s encrypt, using several of the various domain verification challenges they support.

There are some protections against this, such as CAA records in DNS, which restrict which CAs can issue certs and depending on the CA which verification methods are allowed. That may not provide adequate protection.

For example if you are using LE and are using verification mechanisms other than DNS then the attacker could trick LE to issuing it a cert.

That also depends on the security of DNS, which can be tricky.

So, yes, BGP hijacks can be used to impersonate other sites, even though they are using HTTPS.

When you configure your domains, Make sure you setup CAA, locked down to your specific CA, and have DNS sec setup, as a minimum bar. Also avoid using DV mechanisms that only rely on control over an IP address, as that can be subverted via BGP.

Well if they can deceive certificate authorities that implement the ACME protocol like LetsEncrypt, then they could get a certificate for your site with the HTTP-01 challenge, see the paper Using BGP to Acquire Bogus TLS Certificates (2017) [1]. That paper suggested a mitigation they call Multiple Vantage Point Verification, which has already been implemented [2].

[1]: https://petsymposium.org/2017/papers/hotpets/bgp-bogus-tls.p...

[2]: https://community.letsencrypt.org/t/validating-challenges-fr...

For anything major you're right, you'd expect them to be on the HSTS preload list in people's browsers which forces all requests over SSL which would then pick up an invalid certificate. That doesn't make this harmless though, just being able to blackhole traffic for something is a pretty significant attack - Pakistan a few years back accidentally caused YouTube to be unavailable ~worldwide when they only intended to make it unavailable within the country. There's also a lot of sites not on the preload list, and those you could fairly easily MITM, especially if you've also got access to a tame certificate issuer and I don't doubt that a nation state could persuade someone to issue them some certificates given the proper levers.

If you can inject arbitrary malicious routes, you can make ACME requests for a new cert.