DOCSLIB.ORG

The Boon and Bane of Cross-Signing: Shedding Light on a Common Practice in Public Key Infrastructures

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Extended Paper Version If you cite this paper, please use the CCS reference: Jens Hiller, Johanna Amann, and Oliver Hohlfeld. 2020. The Boon and Bane of Cross-Signing: Shedding Light on a Common Practice in Public Key Infrastructures. In 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS ’20), November 9–13, 2020, Virtual Event, USA. ACM, New York, NY, USA, 18 pages. https://doi.org/10.1145/3372297.3423345 The Boon and Bane of Cross-Signing: Shedding Light on a Common Practice in Public Key Infrastructures Jens Hiller∗ Johanna Amann Oliver Hohlfeld [email protected] [email protected] [email protected] Communication and Distributed ICSI; Corelight; LBNL Brandenburg University of Systems, RWTH Aachen University Technology ABSTRACT 1 INTRODUCTION Public Key Infrastructures (PKIs) with their trusted Certificate Au- Public key infrastructures (PKIs) like the Web PKI, provide the trust thorities (CAs) provide the trust backbone for the Internet: CAs infrastructure for many applications in today’s Internet. They, e.g., sign certificates which prove the identity of servers, applications, or enable webbrowsers, or apps on mobile operating systems (OS), users. To be trusted by operating systems and browsers, a CA has to authenticate servers for secure online banking, web shopping, to undergo lengthy and costly validation processes. Alternatively, or password entry. Governments use PKIs for authentication in trusted CAs can cross-sign other CAs to extend their trust to them. privacy-preserving health systems, remote functionality of admin- In this paper, we systematically analyze the present and past state istrative offices, or electronic voting [3, 32, 89, 91]. of cross-signing in the Web PKI. Our dataset (derived from passive Certificate Authorities (CAs) serve as trust anchors in PKIs and TLS monitors and public CT logs) encompasses more than 7 years have the ability to issue trusted certificates to companies and indi- and 225 million certificates with 9.3 billion trust paths. Weshow viduals. The security of a PKI relies on benign and correct acting of benefits and risks of cross-signing. We discuss the difficulty ofre- all its CAs. Despite audit processes, there have been several cases of voking trusted CA certificates where, worrisome, cross-signing can severe CA misbehavior or security breaches: In 2011, the DigiNotar result in valid trust paths to remain after revocation; a problem for CA was compromised [77]. This caused its removal from root stores. non-browser software that often blindly trusts all CA certificates All DigiNotar issued certificates became untrusted. In the following and ignores revocations. However, cross-signing also enables fast years, a range of new security measures were introduced to reduce bootstrapping of new CAs, e.g., Let’s Encrypt, and achieves a non- the impact of future compromises [2]. However, most face small disruptive user experience by providing backward compatibility. In deployment and thus have limited effect [2]. Along this path, the this paper, we propose new rules and guidance for cross-signing to Certification Authority Browser (CAB) Forum gradually increased preserve its positive potential while mitigating its risks. the requirements that CAs must fulfill to remain in root stores. Alternatively, trusted CAs can cross-sign other CAs to extend CCS CONCEPTS their trust to them—thereby mitigating the lengthy and costly vali- • Security and privacy ! Network security. dation process that new CAs need to undergo. Cross-signing de- scribes the approach to obtain signatures from several issuers for 1 KEYWORDS one certificate . It enables new CAs to quickly establish trust. A prominent example is the bootstrapping of Let’s Encrypt, which PKI; X.509; SSL; TLS; cross-signing; cross certification issued trusted certificates based on a cross-sign of their CA certifi- ACM Reference Format: cates by the already trusted CA IdenTrust while applying for root Jens Hiller, Johanna Amann, and Oliver Hohlfeld. 2020. The Boon and store inclusion of their own root certificate [42]. Cross-signing also Bane of Cross-Signing: Shedding Light on a Common Practice in Public ensures broad validation of certificates in face of divergent root Key Infrastructures. In 2020 ACM SIGSAC Conference on Computer and stores of OSes or applications. Communications Security (CCS ’20), November 9–13, 2020, Virtual Event, USA. However, cross-signing also bears risks: as cross-signs are not ACM, New York, NY, USA, 19 pages. https://doi.org/10.1145/3372297.3423345 systematically tracked [80], cross-signing can challenge proper arXiv:2009.08772v1 [cs.CR] 18 Sep 2020 revocation of certificates in case of CA misbehavior, erroneous op- eration, or stolen keys. The complexity added by cross-signs already resulted in too broad application of certificate revocation [31, 94]. ∗Parts of the work conducted during an internship at the International Computer In this paper, we show that cross-signs also can lead to certificates Science Institute (ICSI). remaining valid when their CA was distrusted; that the complexity of existing cross-signs makes revocation difficult; that different Permission to make digital or hard copies of all or part of this work for personal or software and operating systems do not always thoroughly revoke classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation certificates; and that cross-signing makes it difficult to track revo- on the first page. Copyrights for components of this work owned by others than the cation of CA certificates, especially for non-browser software. author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or In this paper, we perform the first systematic study of the use and republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. security effects of cross-signing (also known as cross certification), CCS ’20, November 9–13, 2020, Virtual Event, USA which is one major reason for missing transparency in PKIs [80]. © 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-7089-9/20/11...$15.00 1Technically, cross-signing creates several certificates that share subject and public https://doi.org/10.1145/3372297.3423345 key as each certificate has exactly one issuer. CCS ’20, November 9–13, 2020, Virtual Event, USA Jens Hiller, Johanna Amann, and Oliver Hohlfeld CA CA CA For this, we use a passive TLS data-set that contains information 1 2 3 R3 about more than seven years of real-world TLS usage, containing root R1 R2 R3 I5 I5 more than 225 million certificates derived from more than 300 store I4 billion connections—which provides us with insights on the effect XS-Cert of cross-signs on real user connections. For a broad coverage of CA I1 I2 I3 I4 I5 L6 certificates, we combine this private, user-centered dataset with publicly available data from Certificate Transparency (CT) logs. L1 L2 L3 L4 L5 L6 The main contributions of our paper are as follows: • We provide a classification of different cross-sign patterns Figure 1: An example PKI including a cross-sign (I + I 0). and analyze them with respect to their benefits, but also their 5 5 risks of unexpected effects on the trust system. • We systematically analyze the use of cross-signing in PKI systems, with a focus on the Web PKI. Thereby, we reveal requires time demanding audit and certification processes. During problematic cross-signs that render certificate revocation or the process of being included in root stores, a CA may already want root store removals ineffective, leading to unwanted valid to issue trusted certificates. To this end, another CAtrusted, whose trust paths. We also find legit use cases, e.g., cross-signing certificate is already included in root stores, cross-signs the CA’s enabled the quick tremendous success of Let’s Encrypt, eases root or intermediate certificate to create a trust path that ends in the transition to progressive cryptography while maintain- the already trusted root certificate of CAtrusted. In Figure 1, the ing compatibility for legacy applications, and makes a single intermediate certificate I5 is cross-signed by I4, providing a trust certificate trusted across different applications and operating path to R2. As real-world example, Let’s Encrypt has been using an systems, achieving a non-disruptive user experience. intermediate certificate cross-signed by IdenTrust to already issue • We propose new rules and guidance for cross-signing to certificates while waiting for root store inclusion of its own root preserve its positive potential but mitigate enclosed risks. certificate [42]. Similarly, CAs that are included in only some root stores can use cross-signing to extend trust to further root stores. 2 BACKGROUND CAs typically call this cross-signing (also cross-certification) and the resulting certificates cross-certificates [42, 43]. Analogously, This section gives a brief overview of how CAs establish trust, RFC 5280 defines a cross-certificate as a CA certificate that has how trust is anchored in root stores, and how certificate revoca- different entities as issuer and subject [6]. In this paper, we use a tion is applied today. For a thorough description of PKIs and their broader definition: (i) To analyze cross-signing for all certificate fundamental concepts, we refer readers to [28, 46]. types, i.e., root, intermediate, and leaf certificates, we consider all Operating systems and some web browsers maintain root stores. certificates, not only CA certificates. (ii) To also track effectsof They serve as trust anchors when validating certificates: To be valid, signing a certificate with multiple CA certificates ofthe same entity, a certificate must be issued—directly or indirectly—by a trusted root we only require signatures by two different CA certificates, but not certificate, i.e., a certificate that is included in the root store.
Recommended publications
  • Secure Shell- Its Significance in Networking (Ssh)

    Secure Shell- Its Significance in Networking (Ssh)

    International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: [email protected] Volume 4, Issue 3, March 2015 ISSN 2319 - 4847 SECURE SHELL- ITS SIGNIFICANCE IN NETWORKING (SSH) ANOOSHA GARIMELLA , D.RAKESH KUMAR 1. B. TECH, COMPUTER SCIENCE AND ENGINEERING Student, 3rd year-2nd Semester GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India 2.Assistant Professor Computer Science and Engineering GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India ABSTRACT This paper is focused on the evolution of SSH, the need for SSH, working of SSH, its major components and features of SSH. As the number of users over the Internet is increasing, there is a greater threat of your data being vulnerable. Secure Shell (SSH) Protocol provides a secure method for remote login and other secure network services over an insecure network. The SSH protocol has been designed to support many features along with proper security. This architecture with the help of its inbuilt layers which are independent of each other provides user authentication, integrity, and confidentiality, connection- oriented end to end delivery, multiplexes encrypted tunnel into several logical channels, provides datagram delivery across multiple networks and may optionally provide compression. Here, we have also described in detail what every layer of the architecture does along with the connection establishment. Some of the threats which Ssh can encounter, applications, advantages and disadvantages have also been mentioned in this document. Keywords: SSH, Cryptography, Port Forwarding, Secure SSH Tunnel, Key Exchange, IP spoofing, Connection- Hijacking. 1. INTRODUCTION SSH Secure Shell was first created in 1995 by Tatu Ylonen with the release of version 1.0 of SSH Secure Shell and the Internet Draft “The SSH Secure Shell Remote Login Protocol”.
  • Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI

    Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI

    Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI Doowon Kim Bum Jun Kwon Tudor Dumitras, University of Maryland University of Maryland University of Maryland College Park, MD College Park, MD College Park, MD [email protected] [email protected] [email protected] ABSTRACT To establish trust in third-party software, we currently rely on Digitally signed malware can bypass system protection mechanisms the code-signing Public Key Infrastructure (PKI). This infrastruc- that install or launch only programs with valid signatures. It can ture includes Certification Authorities (CAs) that issue certificates also evade anti-virus programs, which often forego scanning signed to software publishers, vouching for their identity. Publishers use binaries. Known from advanced threats such as Stuxnet and Flame, these certificates to sign the software they release, and users rely this type of abuse has not been measured systematically in the on these signatures to decide which software packages to trust broader malware landscape. In particular, the methods, effective- (rather than maintaining a list of trusted packages). If adversaries ness window, and security implications of code-signing PKI abuse can compromise code signing certificates, this has severe impli- are not well understood. We propose a threat model that highlights cations for end-host security. Signed malware can bypass system three types of weaknesses in the code-signing PKI. We overcome protection mechanisms that install or launch only programs with challenges specific to code-signing measurements by introducing valid signatures, and it can evade anti-virus programs, which often techniques for prioritizing the collection of code-signing certificates neglect to scan signed binaries.
  • Introduction to Cryptography

    Introduction to Cryptography

    Mag. iur. Dr. techn. Michael Sonntag Introduction to Cryptography Institute of Networks and Security Johannes Kepler University Linz, Austria E-Mail: [email protected] Thanks to Rudolf Hörmanseder for some slides (esp. drawings!) Why cryptography? Security is a very important aspect, especially if money (or equivalents) are affected by transactions Not every information should be available to everyone Note: Data is sent in the Internet over numerous "open systems", where anyone can listen it! Security is needed! The technical aspect of security is cryptography Encrypting data against disclosure and modifications Signing data against modifications and repudiation Note: Cryptography does not solve all security problems! Example: Communication analysis (who talks to whom when) Other aspects of security are also needed » E.g.: Do you know what your employees actually do with data? Solutions: DRM, deactivation codes, anonymizers, … Michael Sonntag Introduction to Cryptography 2 Application areas Storing data in encrypted form Even access will not lead to disclosure (stolen laptops!) Example: File/-system encryption, password storage Transmitting data securely Enc. transmission prevents eavesdropping and tampering Example: TLS Identifying your partner Preventing man-in-the-middle attacks Example: TLS with uni-/bidirectional certificates Proof of identity & authority Avoiding impersonation Example: GPG E-Mail signatures, digital signatures (Austria: "Bürgerkarte“ – “citizen card”) Michael Sonntag Introduction to
  • You Really Shouldn't Roll Your Own Crypto: an Empirical Study of Vulnerabilities in Cryptographic Libraries

    You Really Shouldn't Roll Your Own Crypto: an Empirical Study of Vulnerabilities in Cryptographic Libraries

    You Really Shouldn’t Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries Jenny Blessing Michael A. Specter Daniel J. Weitzner MIT MIT MIT Abstract A common aphorism in applied cryptography is that cryp- The security of the Internet rests on a small number of open- tographic code is inherently difficult to secure due to its com- source cryptographic libraries: a vulnerability in any one of plexity; that one should not “roll your own crypto.” In par- them threatens to compromise a significant percentage of web ticular, the maxim that complexity is the enemy of security traffic. Despite this potential for security impact, the character- is a common refrain within the security community. Since istics and causes of vulnerabilities in cryptographic software the phrase was first popularized in 1999 [52], it has been in- are not well understood. In this work, we conduct the first voked in general discussions about software security [32] and comprehensive analysis of cryptographic libraries and the vul- cited repeatedly as part of the encryption debate [26]. Conven- nerabilities affecting them. We collect data from the National tional wisdom holds that the greater the number of features Vulnerability Database, individual project repositories and in a system, the greater the risk that these features and their mailing lists, and other relevant sources for eight widely used interactions with other components contain vulnerabilities. cryptographic libraries. Unfortunately, the security community lacks empirical ev- Among our most interesting findings is that only 27.2% of idence supporting the “complexity is the enemy of security” vulnerabilities in cryptographic libraries are cryptographic argument with respect to cryptographic software.
  • SSL Checklist for Pentesters

    SSL Checklist for Pentesters

    SSL Checklist for Pentesters Jerome Smith BSides MCR, 27th June 2014 # whoami whoami jerome • Pentester • Author/trainer – Hands-on technical – Web application, infrastructure, wireless security • Security projects – Log correlation – Dirty data – Incident response exercises • Sysadmin • MSc Computing Science (Dist) • www.exploresecurity.com | @exploresecurity Introduction • Broad review of SSL/TLS checks – Viewpoint of pentester – Pitfalls – Manually replicating what tools do (unless you told the client that SSL Labs would be testing them ) – Issues to consider reporting (but views are my own) • While SSL issues are generally low in priority, it’s nice to get them right! • I’m not a cryptographer: this is all best efforts SSLv2 • Flawed, e.g. no handshake protection → MITM downgrade • Modern browsers do not support SSLv2 anyway – Except for IE but it’s disabled by default from IE7 – That mitigates the risk these days – http://en.wikipedia.org/wiki/Transport_Layer_Security#W eb_browsers • OpenSSL 1.0.0+ doesn’t support it – Which means SSLscan won’t find it – General point: tools that dynamically link to an underlying SSL library in the OS can be limited by what that library supports SSLv2 • Same scan on different OpenSSL versions: SSLv2 • testssl.sh warns you – It can work with any installed OpenSSL version • OpenSSL <1.0.0 s_client -ssl2 switch – More on this later • Recompile OpenSSL – http://blog.opensecurityresearch.com/2013/05/fixing-sslv2-support- in-kali-linux.html • SSLyze 0.7+ is statically linked – Watch out for bug https://github.com/iSECPartners/sslyze/issues/73
  • Measuring Breaches of Trust in the Windows Code-Signing PKI

    Measuring Breaches of Trust in the Windows Code-Signing PKI

    Session F5: Understanding Security Fails CCS’17, October 30-November 3, 2017, Dallas, TX, USA Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI Doowon Kim Bum Jun Kwon Tudor Dumitras, University of Maryland University of Maryland University of Maryland College Park, MD College Park, MD College Park, MD [email protected] [email protected] [email protected] ABSTRACT To establish trust in third-party software, we currently rely on Digitally signed malware can bypass system protection mechanisms the code-signing Public Key Infrastructure (PKI). This infrastruc- that install or launch only programs with valid signatures. It can ture includes Certification Authorities (CAs) that issue certificates also evade anti-virus programs, which often forego scanning signed to software publishers, vouching for their identity. Publishers use binaries. Known from advanced threats such as Stuxnet and Flame, these certificates to sign the software they release, and users rely this type of abuse has not been measured systematically in the on these signatures to decide which software packages to trust broader malware landscape. In particular, the methods, effective- (rather than maintaining a list of trusted packages). If adversaries ness window, and security implications of code-signing PKI abuse can compromise code signing certificates, this has severe impli- are not well understood. We propose a threat model that highlights cations for end-host security. Signed malware can bypass system three types of weaknesses in the code-signing PKI. We overcome protection mechanisms that install or launch only programs with challenges specific to code-signing measurements by introducing valid signatures, and it can evade anti-virus programs, which often techniques for prioritizing the collection of code-signing certificates neglect to scan signed binaries.
  • Security Economics in the HTTPS Value Chain

    Security Economics in the HTTPS Value Chain

    Security Economics in the HTTPS Value Chain Hadi Asghari*, Michel J.G. van Eeten*, Axel M. Arnbak+ & Nico A.N.M. van Eijk+1 * [email protected], [email protected] Delft University of Technology, Faculty of Technology Policy and Management + [email protected], [email protected] University van Amsterdam, Faculty of Law, Institute for Information Law Abstract. Even though we increasingly rely on HTTPS to secure Internet communications, several landmark incidents in recent years have illustrated that its security is deeply flawed. We present an extensive multi-disciplinary analysis that examines how the systemic vulnerabilities of the HTTPS authentication model could be addressed. We conceptualize the security issues from the perspective of the HTTPS value chain. We then discuss the breaches at several Certificate Authorities (CAs). Next, we explore the security incentives of CAs via the empirical analysis of the market for SSL certificates, based on the SSL Observatory dataset. This uncovers a surprising pattern: there is no race to the bottom. Rather, we find a highly concentrated market with very large price differences among suppliers and limited price competition. We explain this pattern and explore what it tells us about the security incentives of CAs, including how market leaders seem to benefit from the status quo. In light of these findings, we look at regulatory and technical proposals to address the systemic vulnerabilities in the HTTPS value chain, in particular the EU eSignatures proposal that seeks to strictly regulate HTTPS communications. Keywords: HTTPS, Cybersecurity, Internet Governance, Constitutional Values, E-Commerce, Value Chain Analysis, Security Economics, eSignatures Regulation, SSL, TLS, Digital Certificates, Certificate Authorities.
  • Blockchain-Based Certificate Transparency and Revocation

    Blockchain-Based Certificate Transparency and Revocation

    Blockchain-based Certificate Transparency and Revocation Transparency? Ze Wang1;2;3, Jingqiang Lin1;2;3??, Quanwei Cai1;2, Qiongxiao Wang1;2;3, Jiwu Jing1;2;3, and Daren Zha1;2 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China. 2 Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing 100093, China. 3 School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China. {wangze,linjingqiang,caiquanwei,wangqiongxiao}@iie.ac.cn Abstract. Traditional X.509 public key infrastructures (PKIs) depend on certification authorities (CAs) to sign certificates, used in SSL/TLS to authenticate web servers and establish secure channels. However, recent security incidents indicate that CAs may (be compromised to) sign fraud- ulent certificates. In this paper, we propose blockchain-based certificate transparency and revocation transparency. Our scheme is compatible with X.509 PKIs but significantly reinforces the security guarantees of a certificate. The CA-signed certificates and their revocation status in- formation of an SSL/TLS web server are published by the subject (i.e., the web server) as a transaction, and miners of the community append it to the global certificate blockchain after verifying the transaction and mining a block. The certificate blockchain acts as append-only public logs to monitor CAs' certificate signing and revocation operations, and an SSL/TLS web server is granted with the cooperative control on its certificates to balance the absolute authority of CAs in traditional PKIs. We implement the prototype system with Firefox and Nginx, and the experimental results show that it introduces reasonable overheads.
  • Mission Accomplished? HTTPS Security After Diginotar

    Mission Accomplished? HTTPS Security After Diginotar

    Mission Accomplished? HTTPS Security after DigiNotar Johanna Amann* ICSI / LBL / Corelight Oliver Gasser* Technical University of Munich Quirin Scheitle* Technical University of Munich Lexi Brent The University of Sydney Georg Carle Technical University of Munich Ralph Holz The University of Sydney * Joint First Authorship Internet Measurement Conference (IMC) 2017 TLS/HTTPS Security Extensions • Certificate Transparency • HSTS (HTTP Strict Transport Security) • HPKP (HTTP Public Key Pinning) • SCSV (TLS Fallback Signaling Cipher Suite Value) • CAA (Certificate Authority Authorization) • DANE-TLSA (DNS Based Authentication of Named Entities) Methodology • Active & passive scans • Shared pipeline where possible • Active measurements from 2 continents • Largest Domain-based TLS scan so far • More than 192 Million domains • Passive measurements on 3 continents • More than 2.4 Billion observed TLS connections Certificate Transparency CA Issues Certificates Provides publicly auditable, append-only Log of certificates CT Log Also provides proof of inclusion Browser Verifies Proof of Inclusion Certificate Transparency CT Log CA Webserver Browser Certificate Transparency CT Log CA Certificate Webserver Browser Certificate Transparency CT Log CA Certificate Certificate Webserver Browser Certificate Transparency CT Log CA SCT Certificate Certificate Webserver Browser Certificate Transparency CT Log CA SCT Certificate Certificate Webserver Browser Certificate, SCT in TLS Ext. Certificate Transparency CT Log CA Webserver Browser Certificate Transparency Precertificate
  • An Analysis of the Transport Layer Security Protocol

    An Analysis of the Transport Layer Security Protocol

    An Analysis of the Transport Layer Security Protocol Thyla van der Merwe Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group School of Mathematics and Information Security Royal Holloway, University of London 2018 Declaration These doctoral studies were conducted under the supervision of Professor Kenneth G. Paterson. The work presented in this thesis is the result of original research I conducted, in collabo- ration with others, whilst enrolled in the School of Mathematics and Information Security as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Thyla van der Merwe March, 2018 2 Dedication To my niece, Emma. May you always believe in your abilities, no matter what anybody tells you, and may you draw on the strength of our family for support, as I have done (especially your Gogo, she’s one tough lady). “If you’re going through hell, keep going.” Winston Churchill 3 Abstract The Transport Layer Security (TLS) protocol is the de facto means for securing commu- nications on the World Wide Web. Originally developed by Netscape Communications, the protocol came under the auspices of the Internet Engineering Task Force (IETF) in the mid 1990s and today serves millions, if not billions, of users on a daily basis. The ubiquitous nature of the protocol has, especially in recent years, made the protocol an attractive target for security researchers. Since the release of TLS 1.2 in 2008, the protocol has suffered many high-profile, and increasingly practical, attacks.
  • The Heartbleed Bug: an Open Secure Sockets Layer Vulnerability

    The Heartbleed Bug: an Open Secure Sockets Layer Vulnerability

    International Journal of Science and Research (IJSR) ISSN (Online): 2319-7064 Impact Factor (2012): 3.358 The Heartbleed Bug: An Open Secure Sockets Layer Vulnerability Thabiso Peter Mpofu1, Noe Elisa2, Nicholaus Gati3 1M. Tech. Student, Department of Computer Science, School of IT, Jawaharlal Nehru Technological University Hyderabad, India 2, 3M. Tech. Student, Department of Computer Networks and Information Security, School of IT, Jawaharlal Nehru Technological University Hyderabad, India 3M. Tech Student, Department of Computer Networks and Information Security, School of IT, Jawaharlal Nehru Technological University Hyderabad, India, Abstract: The Open Secure Sockets Layer (OpenSSL) is used to provide a secure platform for transactions that happen over the internet. About two thirds of the servers on the internet use the OpenSSL platform to provide secure transaction over the internet. The OpenSSL is a widely used open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Transactions such as online shopping, emails and online banking are carried out on the internet through the OpenSSL and other platforms which provide a security. Vulnerabilities have however been found in the OpenSSL that has resulted in a wide public outcry all over the world. A vulnerability referred to as the Heartbleed Bug has sent shockwaves all over the internet. From the study we conducted, the scope of the data that has been potentially compromised is astronomical and includes usernames, passwords, bank account and credit card numbers, medical data, documents in online cloud storage. Not only has all of this user data been directly compromised, but, what are worse, the private keys of the servers running the vulnerable versions of OpenSSL were also almost certainly compromised.
  • Web Content Guidelines for Playstation®4

    Web Content Guidelines for Playstation®4

    Web Content Guidelines for PlayStation®4 Version 9.00 © 2021 Sony Interactive Entertainment Inc. [Copyright and Trademarks] "PlayStation" and "DUALSHOCK" are registered trademarks or trademarks of Sony Interactive Entertainment Inc. Oracle and Java are registered trademarks of Oracle and/or its affiliates. "Mozilla" is a registered trademark of the Mozilla Foundation. The Bluetooth® word mark and logos are registered trademarks owned by the Bluetooth SIG, Inc. and any use of such marks by Sony Interactive Entertainment Inc. is under license. Other trademarks and trade names are those of their respective owners. Safari is a trademark of Apple Inc., registered in the U.S. and other countries. DigiCert is a trademark of DigiCert, Inc. and is protected under the laws of the United States and possibly other countries. Symantec and GeoTrust are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. VeriSign is a trademark of VeriSign, Inc. All other company, product, and service names on this guideline are trade names, trademarks, or registered trademarks of their respective owners. [Terms and Conditions] All rights (including, but not limited to, copyright) pertaining to this Guideline are managed, owned, or used with permission, by SIE. Except for personal, non-commercial, internal use, you are prohibited from using (including, but not limited to, copying, modifying, reproducing in whole or in part, uploading, transmitting, distributing, licensing, selling and publishing) any of this Guideline, without obtaining SIE’s prior written permission. SIE AND/OR ANY OF ITS AFFILIATES MAKE NO REPRESENTATION AND WARRANTY, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WARRANTIES OR REPRESENTATIONS WITH RESPECT TO THE ACCURACY, RELIABILITY, COMPLETENESS, FITNESS FOR PARTICULAR PURPOSE, NON-INFRINGEMENT OF THIRD PARTIES RIGHTS AND/OR SAFETY OF THE CONTENTS OF THIS GUIDELINE, AND ANY REPRESENTATIONS AND WARRANTIES RELATING THERETO ARE EXPRESSLY DISCLAIMED.