Overview
My name is Henry Birge-Lee. I am a research software engineer at Princeton University in the CS and ELE departments. I primarily work under professors Prateek Mittal and (now Princeton University provost) Jennifer Rexford on Internet security and privacy. I specialize in understanding and defending against cross-layer network attacks and have done extensive research on the Border Gateway Protocol (BGP). I am an inventor and key advocate of Multi-Perspective Issuance Corroboration (MPIC) which helps protect HTTPS connections from BGP attacks. MPIC is deployed by Let's Encrypt and Google Trust Services and will be required for all WebPKI certificate issuance on March 15, 2025. I am also a founder of the Open Multi-Perspective Issuance Corroboration Project (Open MPIC) which provides an open-source implementation of MPDV for use in the CA industry.
Impact
Real-world impact is what motivates me to do research. To this end, I always strive to have my research deployed. Below are several examples of initiatives I have lead that are currently deployed in the real world.
-
Image credit: Cloudflare
Inventing Multi-Perspective Issuance Corroboration (MPIC)
MPIC (sometimes also referred to as Multi-Perspective Domain Validation or MPDV) is a technology deployed by Certificate Authorities (or CAs) that helps protect TLS certificate issuance from equally-specific BGP attacks.
- In 2016 I coded the first ever MPIC implementation and in 2018 I was lead author of the paper that introduced MPIC.
- My research was a key factor leading to MPIC getting deployed at the world's largest web PKI CA Let's Encrypt in Feb 2020 where it has since secured the issuance of over one billion certificates.
- MPIC has also been deployed at Google Trust Services (the CA responsible for signing certificates for Google services including google.com itself) and is implemented by CloudFlare.
- Following several presentations I made to the CA/Browser Forum and extensive participation in a work team to draft requirements for MPIC, the Chrome Root Program (with endorsements from Let's Encrypt and Fastly) proposed Ballot SC-067 which mandates MPIC industry wide.
- The CA/Browser Forum (which governs all WebPKI certificate issuance) unanimously voted that (per Ballot SC-067) MPIC will be mandated for the issuance of all publicly-trusted server certificates on March, 15 2025.
- Once mandated, MPIC will secure the issuance of over 6 million certificates a day and provide improved security to the millions of websites and billions of users that rely on HTTPS and the WebPKI.
One aspect of MPIC I am particularly proud of is that Princeton University has given MPIC to the public domain. This supports MPIC's continued adoption and maximizes its potential to improve Internet security.
-
Image credit: USENIX Association
Developing the Secure Backbone Autonomous System (SBAS)
SBAS brings the advantages of new emerging secure Internet architectures to hosts on today's networks already-deployed hardware.
- I was lead author of the paper that introduced SBAS.
- A prototype SBAS deployment is operational with four nodes spread across the world and operates out of AS 400065.
- SBAS is planned to be deployed in production on the SCION Research and Education Network
-
Image credit: SCION Architecture
Bringing SCION, a Next-Generation Internet Architecture, to Princeton University
SCION is a Next-Generation Internet Architecture that offers improves security and performance over traditional inter-domain IP routing. SCION is deployed in production networks like the Secure Swiss Finance Network and has recently started an international research and education network that Princeton University is a part of.
- I was a key part of an initiative lead by the Princeton Inspire Research Group to develop secure layer-2 link over Internet2's Advanced Layer 2 Service (AL2S) from the SCION R&E Network's interconnects in Virginia, Chicago, and Seattle to the Princeton campus.
- I administer the SCION Router on the Princeton University campus (AS 88 in ISD 71) which provides native SCION connectivity to connected devices.
- I also spearheaded the deployment of the SCION Bootstrapper at Princeton University which offers zero-configuration native SCION connectivity to hosts Princeton's network.
-
Founding the Open MPIC Project
I am a founder and lead developer on the Open MPIC project which offers an open-source production-grade implementation of MPIC for use in the CA industry.
- Several prominent CAs are considering adoption of Open MPIC.
- The Open MPIC project hosts the draft MPIC API specification which is being developed in collaboration with CloudFlare and submitted to the IETF.
Policy Guidance
I have published several works aimed at moving industry, national, and international policy in a more informed direction.
Chrome Root Program's Multi-Perspective Issuance Corroboration Work Team
I was a key contributor to the work team organized by the Google Chrome Root Program that developed standards for industry-wide adoption of MPIC. The resulting work ultimately became CA/Browser Forum Ballot SC-067 that was adopted by the CA/Browser Forum in a unanimous vote.Princeton CITP and University of Chicago's Response to the FCC
I worked with a cross-institutional team of top BGP researchers from Princeton's Center for Information Technology and Policy (CITP) and the University of Chicago to publish a response to the FCC's inquiry on routing security (Docket No. 22-90) which was cited by the DoD and DOJ.
https://citpsite.s3.amazonaws.com/uploads/FCC+BGP+Security+Comment-3.pdfBITAG Report on the Security of the Internet’s Routing Infrastructure
As part of the BITAG working group on Routing Security, I worked with other industry leaders on writing a technical report about the current state of routing security. https://www.bitag.org/Routing_Security.php
Click here to download my full CV.
Publications
- Henry Birge-Lee, Liang Wang, Daniel McCarney, Roland Shoemaker, Jennifer Rexford, and Prateek Mittal. 2021. Experiences Deploying Multi-Vantage-Point Domain Validation at Let’s Encrypt. In Proceedings of the 30th USENIX Security Symposium (USENIX Security ’21). USENIX Association, Vancouver, CA. https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee Runner up for the 2022 Caspar Bowden PET Award. Finalist in the CSAW’21 Applied Research Competition
- Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, and Prateek Mittal. 2018. Bamboozling Certificate Authorities with BGP. In Proceedings of the 27th USENIX Security Symposium (USENIX Security ’18). USENIX Association, Baltimore, MD, 833–849. https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee Runner up for the 2020 Caspar Bowden PET Award.
- Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, and Prateek Mittal. 2017. Using BGP to acquire bogus TLS certificates. Talk Abstract in Hot Topics in Privacy Enhancing Technologies (HotPETS ’17). Minneapolis, MN. https://www.petsymposium.org/2017/papers/hotpets/bgp-bogus-tls.pdf Winner of the 2017 HotPETS Best Talk Award
- Henry Birge-Lee, Sophia Yoo, Benjamin Herber, Jennifer Rexford, and Maria Apostolaki. 2024. TANGO: Secure Collaborative Route Control across the Public Internet. In Proceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI ’24). USENIX Association, Baltimore, MD. https://www.usenix.org/conference/nsdi24/presentation/birge-lee
- Grace H. Cimaszewski*, Henry Birge-Lee*, Liang Wang, Jennifer Rexford, and Prateek Mittal. 2023. How Effective is Multiple-Vantage-Point Domain Control Validation? In Proceedings of the 32nd USENIX Security Symposium (USENIX Security ’23). USENIX Association, Anaheim, CA, 5701--5718. https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski *Both authors contributed equally to this work.
- Henry Birge-Lee, Joel Wanner, Grace H. Cimaszewski, Jonghoon Kwon, Liang Wang, François Wirz, Prateek Mittal, Adrian Perrig, and Yixin Sun. 2022. Creating a Secure Underlay for the Internet. In Proceedings of the 31st USENIX Security Symposium (USENIX Security ’22). USENIX Association, Boston, MA, 2601--2618. https://www.usenix.org/conference/usenixsecurity22/presentation/birge-lee
- Henry Birge-Lee, Liang Wang, Jennifer Rexford, and Prateek Mittal. 2019. SICO: Surgical Interception Attacks by Manipulating BGP Communities. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). Association for Computing Machinery, New York, NY, USA, 431–448. DOI:https://doi.org/10.1145/3319535.3363197
- Yixin Sun, Maria Apostolaki, Henry Birge-Lee, Laurent Vanbever, Jennifer Rexford, Mung Chiang, and Prateek Mittal. 2021. Securing Internet Applications from Routing Attacks. Communications of the ACM (CACM) 64, 6 (June 2021), 86–96. https://dl.acm.org/doi/10.1145/3429775
- Henry Birge-Lee, Maria Apostolaki, and Jennifer Rexford. 2022. It takes two to tango: cooperative edge-to-edge routing. In Proceedings of the 21st ACM Workshop on Hot Topics in Networks (HotNets '22). Association for Computing Machinery, New York, NY, USA, 174–180. https://doi.org/10.1145/3563766.3564107
- Henry Birge-Lee, Maria Apostolaki, Jennifer Rexford. 2025. Global BGP Attacks that Evade Route Monitoring. Accepted to appear in Proceedings of the 26th Passive and Active Measurement Conference (PAM '25). Springer-Verlag, Berlin, Heidelberg. https://arxiv.org/abs/2408.09622 Also, invited presentation as a plenary talk at RIPE 89, Prague, Czech Republic
- Walter Gekelman, Patrick Pribyl, Henry Birge-Lee, Joe Wise, Cami Katz, Ben Wolman, Bob Baker, Ken Marmie, Vedang Patankar, Gabriel Bridges, Samuel Buckley-Bonanno, Susan Buckley, Andrew Ge, and Sam Thomas. 2016. Drift waves and chaos in a LAPTAG plasma physics experiment. In American Journal of Physics Volume 84, 118-126. https://doi.org/10.1119/1.4936460