RiPKI: The Tragic Story of RPKI Deployment in the Web Ecosystem

TL;DR

This paper investigates the deployment challenges of RPKI in the web ecosystem, revealing that less popular sites are more secured and that major CDNs often lack RPKI support, raising concerns about widespread security vulnerabilities.

Contribution

It provides an empirical analysis of RPKI deployment patterns in web hosting, highlighting the mismatch between security needs and actual adoption, especially among large-scale CDNs.

Findings

Less popular websites are more likely to use RPKI.

Many large CDNs do not support RPKI, exposing their customers to risks.

Business reasons hinder RPKI deployment among operators.

Abstract

Web content delivery is one of the most important services on the Internet. Access to websites is typically secured via TLS. However, this security model does not account for prefix hijacking on the network layer, which may lead to traffic blackholing or transparent interception. Thus, to achieve comprehensive security and service availability, additional protective mechanisms are necessary such as the RPKI, a recently deployed Resource Public Key Infrastructure to prevent hijacking of traffic by networks. This paper argues two positions. First, that modern web hosting practices make route protection challenging due to the propensity to spread servers across many different networks, often with unpredictable client redirection strategies, and, second, that we need a better understanding why protection mechanisms are not deployed. To initiate this, we empirically explore the relationship between web hosting infrastructure and RPKI deployment. Perversely, we find that less popular websites are more likely to be secured than the prominent sites. Worryingly, we find many large-scale CDNs do not support RPKI, thus making their customers vulnerable. This leads us to explore business reasons why operators are hesitant to deploy RPKI, which may help to guide future research on improving Internet security.