Overview

My name is Henry Birge-Lee. I am a research software engineer at Princeton University in the CS and ELE departments. I primarily work under professors Prateek Mittal and (now Princeton University provost) Jennifer Rexford on Internet security and privacy. I specialize in understanding and defending against cross-layer network attacks. I have a particular interest in inter-domain routing and the PKI (click here for more about me).

Impact

Real-world impact is what motivates me to do research. To this end, I always strive to have my research deployed. Below are several examples of initiatives I have lead that are currently deployed in the real world.

• 

  Image credit: Cloudflare

  Multi Perspective Domain Validation (MPDV)

  MPDV is a technology deployed by Certificate Authorities (or CAs) that helps protect TLS certificate issuance from equally-specific BGP attacks.

  • In 2018 I was lead author of the paper that designed multi perspective domain validation.
  • My research was a key factor leading to MPDV getting deployed at the world's largest web PKI CA Let's Encrypt in Feb 2020 where it has since secured the issuance of over one billion certificates.
  • MPDV has also been deployed at Google Trust Services (the CA responsible for signing certificates for Google services including google.com itself) and is implemented by CloudFlare.
  • There is growing momentum within the CA and Browser Forum (the governing body that regulates CAs) and industry about making MPDV an industry-wide requirement.
  • MPDV is required in CA/Browser Forum ballot SC-067 which is endorsed by the Chrome Root Program, Let's Encrypt, and Fastly and is under public discussion by the Server Cert Working Group. It is scheduled to be voted on for adoption in the coming moths, and if passed, will require all Certificate Authorities to perform MPDV.
• 

  Image credit: USENIX Association

  Secure Backbone Autonomous System (SBAS)

  SBAS brings the advantages of new emerging secure Internet architectures to hosts on today's networks already-deployed hardware.

  • I was lead author of the paper that introduced SBAS.
  • A prototype SBAS deployment is operational with four nodes spread across the world.
  • SBAS is planned to be deployed in production on the SCION Research and Education Network
• 

  Image credit: SCION Architecture

  Bringing SCION, a Next-Generation Internet Architecture, to Princeton University

  SCION is a Next-Generation Internet Architecture that offers improves security and performance over traditional inter-domain IP routing. SCION is deployed in production networks like the Secure Swiss Finance Network and has recently started an international research and education network that Princeton University is a part of.

  • I was a key part of an initiative lead by the Princeton Inspire Research Group to develop secure layer-2 link over Internet2's Advanced Layer 2 Service (AL2S) from the SCION R&E Network's interconnect in Virginia to the Princeton campus.
  • I administer the SCION Router on the Princeton University campus (AS 88 in ISD 71) which provides native SCION connectivity to connected devices.

Policy Guidance

I have published several works aimed at moving industry, national, and international policy in a more informed direction.

• Chrome Root Program's Multi-Perspective Domain Validation Work Team
  I was a key contributor to the work team organized by the Google Chrome Root Program that developed standards for industry-wide adoption of MPDV. The resulting work ultimately became CA/Browser Forum ballot SC-067 that would require all CAs to do MPDV.

• Princeton CITP and University of Chicago's Response to the FCC
  I worked with a cross-institutional team of top BGP researchers from Princeton's Center for Information Technology and Policy (CITP) and the University of Chicago to publish a response to the FCC's inquiry on routing security (Docket No. 22-90) which was cited by the DoD and DOJ.
  https://citpsite.s3.amazonaws.com/uploads/FCC+BGP+Security+Comment-3.pdf

• BITAG Report on the Security of the Internet’s Routing Infrastructure
  As part of the BITAG working group on Routing Security, I worked with other industry leaders on writing a technical report about the current state of routing security. https://www.bitag.org/Routing_Security.php

Click here to download my full CV.

Publications

• Henry Birge-Lee, Liang Wang, Daniel McCarney, Roland Shoemaker, Jennifer Rexford, and Prateek Mittal. 2021. Experiences Deploying Multi-Vantage-Point Domain Validation at Let’s Encrypt. In Proceedings of the 30th USENIX Security Symposium (USENIX Security ’21). USENIX Association, Vancouver, CA. https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee Runner up for the 2022 Caspar Bowden PET Award. Finalist in the CSAW’21 Applied Research Competition
• Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, and Prateek Mittal. 2018. Bamboozling Certificate Authorities with BGP. In Proceedings of the 27th USENIX Security Symposium (USENIX Security ’18). USENIX Association, Baltimore, MD, 833–849. https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee Runner up for the 2020 Caspar Bowden PET Award.
• Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, and Prateek Mittal. 2017. Using BGP to acquire bogus TLS certificates. Talk Abstract in Hot Topics in Privacy Enhancing Technologies (HotPETS ’17). Minneapolis, MN. https://www.petsymposium.org/2017/papers/hotpets/bgp-bogus-tls.pdf Winner of the 2017 HotPETS Best Talk Award
• Henry Birge-Lee, Sophia Yoo, Benjamin Herber, Jennifer Rexford, and Maria Apostolaki. 2024. TANGO: Secure Collaborative Route Control across the Public Internet. In Proceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI ’24). USENIX Association, Baltimore, MD. https://www.usenix.org/conference/nsdi24/presentation/birge-lee
• Grace H. Cimaszewski*, Henry Birge-Lee*, Liang Wang, Jennifer Rexford, and Prateek Mittal. 2023. How Effective is Multiple-Vantage-Point Domain Control Validation? In Proceedings of the 32nd USENIX Security Symposium (USENIX Security ’23). USENIX Association, Anaheim, CA, 5701--5718. https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski *Both authors contributed equally to this work.
• Henry Birge-Lee, Joel Wanner, Grace H. Cimaszewski, Jonghoon Kwon, Liang Wang, François Wirz, Prateek Mittal, Adrian Perrig, and Yixin Sun. 2022. Creating a Secure Underlay for the Internet. In Proceedings of the 31st USENIX Security Symposium (USENIX Security ’22). USENIX Association, Boston, MA, 2601--2618. https://www.usenix.org/conference/usenixsecurity22/presentation/birge-lee
• Henry Birge-Lee, Liang Wang, Jennifer Rexford, and Prateek Mittal. 2019. SICO: Surgical Interception Attacks by Manipulating BGP Communities. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). Association for Computing Machinery, New York, NY, USA, 431–448. DOI:https://doi.org/10.1145/3319535.3363197
• Yixin Sun, Maria Apostolaki, Henry Birge-Lee, Laurent Vanbever, Jennifer Rexford, Mung Chiang, and Prateek Mittal. 2021. Securing Internet Applications from Routing Attacks. Communications of the ACM (CACM) 64, 6 (June 2021), 86–96. https://dl.acm.org/doi/10.1145/3429775
• Henry Birge-Lee, Maria Apostolaki, and Jennifer Rexford. 2022. It takes two to tango: cooperative edge-to-edge routing. In Proceedings of the 21st ACM Workshop on Hot Topics in Networks (HotNets '22). Association for Computing Machinery, New York, NY, USA, 174–180. https://doi.org/10.1145/3563766.3564107
• Walter Gekelman, Patrick Pribyl, Henry Birge-Lee, Joe Wise, Cami Katz, Ben Wolman, Bob Baker, Ken Marmie, Vedang Patankar, Gabriel Bridges, Samuel Buckley-Bonanno, Susan Buckley, Andrew Ge, and Sam Thomas. 2016. Drift waves and chaos in a LAPTAG plasma physics experiment. In American Journal of Physics Volume 84, 118-126. https://doi.org/10.1119/1.4936460