Certificate Transparency in the Wild:Exploring the Reliability Of

Total Page:16

File Type:pdf, Size:1020Kb

Certificate Transparency in the Wild:Exploring the Reliability Of Certificate Transparency in the Wild: Exploring the Reliability of Monitors Bingyu Li1;2;3, Jingqiang Lin1;2;3∗, Fengjun Li4, Qiongxiao Wang1;2, Qi Li5, Jiwu Jing6, Congli Wang1;2;3 1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences 2. Data Assurance and Communication Security Center, Chinese Academy of Sciences 3. School of Cyber Security, University of Chinese Academy of Sciences 4. Department of Electrical Engineering and Computer Science, the University of Kansas, USA 5. Institute for Network Sciences and Cyberspace, Tsinghua University, China 6. School of Computer Science and Technology, University of Chinese Academy of Sciences {libingyu, linjingqiang}@iie.ac.cn, [email protected], [email protected], [email protected], [email protected], [email protected] ABSTRACT KEYWORDS To detect fraudulent TLS server certificates and improve the ac- Certificate Transparency; Trust Management countability of certification authorities (CAs), certificate transparen- cy (CT) is proposed to record certificates in publicly-visible logs, from which the monitors fetch all certificates and watch for suspi- ACM Reference Format: cious ones. However, if the monitors, either domain owners them- Bingyu Li, Jingqiang Lin, Fengjun Li, Qiongxiao Wang, Qi Li, Jiwu Jing, and selves or third-party services, fail to return a complete set of cer- Congli Wang. 2019. Certificate Transparency in the Wild: Exploring the tificates issued for a domain of interest, potentially fraudulent cer- Reliability of Monitors. In 2019 ACM SIGSAC Conference on Computer and tificates may not be detected and then the CT framework becomes Communications Security (CCS’19), November 11–15, 2019, London, United less reliable. This paper presents the first systematic study on CT Kingdom. ACM, New York, NY, USA, 16 pages. https://doi.org/10.1145/ monitors. We analyze the data in 88 public logs and the services 3319535.3345653 of 5 active third-party monitors regarding 3,000,431 certificates of 6,000 selected Alexa Top-1M websites. We find that although CT 1 INTRODUCTION allows ordinary domain owners to act as monitors, it is impractical Traditional X.509 public key infrastructures (PKIs) assume trusted for them to perform reliable processing by themselves, due to the certification authorities (CAs) that are responsible for issuing cer- rapidly increasing volume of certificates in public logs (e.g., onav- tificates [14]. However, several security incidents indicate that ac- erage 5 million records or 28.29 GB daily for the minimal set of logs credited CAs may be compromised or deceived to issue fraudulent that need to be monitored). Moreover, our study discloses that (a) TLS server certificates [13, 19, 27, 38, 53, 75, 77, 79], which bind none of the third-party monitors guarantees to return the complete a domain name (e.g., www.facebook.com or www.gmail.com) to set of certificates for a domain, and(b) for some domains, even the a key pair held by man-in-the-middle (MitM) or impersonation union of the certificates returned by the five third-party monitors attackers, instead of the legitimate website. can probably be incomplete. As a result, the certificates accepted Several approaches attempt to tame the absolute authority of by CT-enabled browsers are not absolutely visible to the claimed CAs from different perspectives [22, 40, 43, 72, 76], but none of them domain owners, even when CT is adopted with well-functioning is widely deployed [6]. Certificate transparency (CT) is proposed logs. The risk of invisible fraudulent certificates in public logs raises to detect fraudulent certificates and improve the accountability of doubts on the reliability of CT in practice. CAs [28, 46]. It has been supported by browsers and TLS software, CCS CONCEPTS including Chrome [29], Apple platforms [8], Firefox [55], OpenSSL [59], Nginx [56], Microsoft AD Certificate Service and Azure Key • Security and privacy → Security services; Network secu- Vault [51]. rity. In the CT framework, a certificate is submitted to multiple public ∗Jingqiang Lin is the corresponding author. servers called logs by the CA that issues it or sometimes by the domain owner (or website) for which it is issued. In response, the log Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed generates a signed certificate timestamp (SCT). In TLS negotiations, for profit or commercial advantage and that copies bear this notice and the full citation the server certificate is delivered along with SCTs; otherwise, it will on the first page. Copyrights for components of this work owned by others than ACM be rejected by CT-enabled browsers. CT ensures that any certificate must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a acceptable to CT-enabled browsers is recorded in publicly-visible fee. Request permissions from [email protected]. logs, so that it is visible to monitors for further checks. CCS ’19, November 11–15, 2019, London, United Kingdom It is worth noting that CT does not prevent a CA from issuing © 2019 Association for Computing Machinery. ACM ISBN 978-1-4503-6747-9/19/11...$15.00 fraudulent certificates. CT logs only record all certificates submit- https://doi.org/10.1145/3319535.3345653 ted to them and sign the corresponding SCTs, without checking whether a certificate is issued with the domain owner’s authoriza- costly for an ordinary domain owner to act as the monitor by itself, tion. Hence, a fraudulent certificate is still acceptable to CT-enabled to fetch and process the rapidly increasing volume of certificates browsers after being submitted to the logs by the attacker (e.g., a (about 30 GB per day at least) in the public logs. compromised CA). So the CT framework relies on the monitors Moreover, our study of the third-party monitor services shows to retrieve all the certificates belonging to the inquired domain in that none of the third-party monitors guarantees to return the com- a timely and reliably means to assist the detection of fraudulent plete set of valid certificates recorded in the public logs for a domain. certificates. If a fraudulent certificate is missing in the search result We studied two groups of domains, one for the popular Alexa Top- returned to users, the attacker could exploit it to launch MitM or im- 1K websites and the other for less popular ones (5,000 domains personation attacks, without triggering any alert in CT. The longer randomly selected from Alexa Top-1M websites), and searched cer- the fraudulent certificates stay undetected in the system (orCT tificates for all these domains from 5 third-party monitors. Inboth logs), the more the damage they may cause to the PKI ecosystem. cases, none of the monitors returns the complete sets of certificates Thus, the quality of the search results provided by the CT monitors, for all the inquired domain names, which also supports our first especially the completeness of the results, affects the overall security finding that an ordinary domain owner is less capable of actingas enhancement by the CT framework. a monitor to process all records in the logs. The incompleteness of However, there is little study in the literature about the relia- the returned search results may cause some fraudulent certificates bility of the services provided by CT monitors. In practice, many in public logs to be invisible to the claimed domain owners and thus third-party monitors claim to reliably return all known, unexpired evade the detection, which makes the CT framework unreliable. certificates for a domain [24, 35, 63], but none of them provides To the best of our knowledge, this is the first work to analyze CT any mechanism about the completeness of the returned results. monitors in the wild. Existing studies on CT [6, 37, 58, 67, 70, 74] This work is among the first to study the reliability of CT mon- focus on the deployment of log servers and the adoption in websites itors. We expect a reliable monitor to return the complete set of or browsers. While providing different views of CT, these large-scale certificates for any inquired domain name. With the assistance of studies do not investigate the reliability of monitors in practice. Our such reliable monitors, a domain owner can quickly identify any study identifies challenges in the implementation of CT monitors suspicious certificates issued for its domain. However, this requires and discloses the vulnerabilities in third-party monitors. the monitor to monitor a large number of, if not all, public CT logs. In summary, the contributions of this paper are as follow: (a) We In practice, it needs to fetch all certificates at least in the default perform the first systematic study of the reliability of monitors for logs that are pre-included in CT-enabled browsers. Meanwhile, the the purpose of studying the effectiveness of CT. (b) We investigate monitor should process the fetched certificates properly to produce various types of log sets and find that each monitor can monitor a the correct answer for each inquiry in the certificate search services. minimal set of logs while ensuring the reliability. (c) We measure While the monitors are essential to CT, it remains unclear if the the reliability of all mainstream third-party monitors and evaluate monitors in the wild provide reliable services. A domain owner is the completeness of certificates returned by their certificate search allowed to act as a monitor to watch for certificates related to its services. (d) We analyze the possible causes of incomplete certificate domain name [28, 44].
Recommended publications
  • Using Frankencerts for Automated Adversarial Testing of Certificate
    Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations Chad Brubaker ∗ y Suman Janay Baishakhi Rayz Sarfraz Khurshidy Vitaly Shmatikovy ∗Google yThe University of Texas at Austin zUniversity of California, Davis Abstract—Modern network security rests on the Secure Sock- many open-source implementations of SSL/TLS are available ets Layer (SSL) and Transport Layer Security (TLS) protocols. for developers who need to incorporate SSL/TLS into their Distributed systems, mobile and desktop applications, embedded software: OpenSSL, NSS, GnuTLS, CyaSSL, PolarSSL, Ma- devices, and all of secure Web rely on SSL/TLS for protection trixSSL, cryptlib, and several others. Several Web browsers against network attacks. This protection critically depends on include their own, proprietary implementations. whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. In this paper, we focus on server authentication, which We design, implement, and apply the first methodology for is the only protection against man-in-the-middle and other large-scale testing of certificate validation logic in SSL/TLS server impersonation attacks, and thus essential for HTTPS implementations. Our first ingredient is “frankencerts,” synthetic and virtually any other application of SSL/TLS. Server authen- certificates that are randomly mutated from parts of real cer- tication in SSL/TLS depends entirely on a single step in the tificates and thus include unusual combinations of extensions handshake protocol. As part of its “Server Hello” message, and constraints. Our second ingredient is differential testing: if the server presents an X.509 certificate with its public key.
    [Show full text]
  • Quantitative Verification of Gossip Protocols for Certificate Transparency
    QUANTITATIVE VERIFICATION OF GOSSIP PROTOCOLS FOR CERTIFICATE TRANSPARENCY by MICHAEL COLIN OXFORD A thesis submitted to the University of Birmingham for the degree of DOCTOR OF PHILOSOPHY School of Computer Science College of Engineering and Physical Sciences University of Birmingham December 2020 2 Abstract Certificate transparency is a promising solution to publicly auditing Internet certificates. However, there is the potential of split-world attacks, where users are directed to fake versions of the log where they may accept fraudulent certificates. To ensure users are seeing the same version of a log, gossip protocols have been designed where users share and verify log-generated data. This thesis proposes a methodology of evaluating such protocols using probabilistic model checking, a collection of techniques for formally verifying properties of stochastic systems. It also describes the approach to modelling and verifying the protocols and analysing several aspects, including the success rate of detecting inconsistencies in gossip messages and its efficiency in terms of bandwidth. This thesis also compares different protocol variants and suggests ways to augment the protocol to improve performances, using model checking to verify the claims. To address uncertainty and unscalability issues within the models, this thesis shows how to transform models by allowing the probability of certain events to lie within a range of values, and abstract them to make the verification process more efficient. Lastly, by parameterising the models, this thesis shows how to search possible model configurations to find the worst-case behaviour for certain formal properties. 4 Acknowledgements To Auntie Mary and Nanny Lee. Writing this thesis could not have been accomplished after four tumultuous years alone.
    [Show full text]
  • Let's Encrypt: 30,229 Jan, 2018 | Let's Encrypt: 18,326 Jan, 2016 | Let's Encrypt: 330 Feb, 2017 | Let's Encrypt: 8,199
    Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web Josh Aas∗ Richard Barnes∗ Benton Case Let’s Encrypt Cisco Stanford University Zakir Durumeric Peter Eckersley∗ Alan Flores-López Stanford University Electronic Frontier Foundation Stanford University J. Alex Halderman∗† Jacob Hoffman-Andrews∗ James Kasten∗ University of Michigan Electronic Frontier Foundation University of Michigan Eric Rescorla∗ Seth Schoen∗ Brad Warren∗ Mozilla Electronic Frontier Foundation Electronic Frontier Foundation ABSTRACT 1 INTRODUCTION Let’s Encrypt is a free, open, and automated HTTPS certificate au- HTTPS [78] is the cryptographic foundation of the Web, providing thority (CA) created to advance HTTPS adoption to the entire Web. an encrypted and authenticated form of HTTP over the TLS trans- Since its launch in late 2015, Let’s Encrypt has grown to become the port [79]. When HTTPS was introduced by Netscape twenty-five world’s largest HTTPS CA, accounting for more currently valid cer- years ago [51], the primary use cases were protecting financial tificates than all other browser-trusted CAs combined. By January transactions and login credentials, but users today face a growing 2019, it had issued over 538 million certificates for 223 million do- range of threats from hostile networks—including mass surveil- main names. We describe how we built Let’s Encrypt, including the lance and censorship by governments [99, 106], consumer profiling architecture of the CA software system (Boulder) and the structure and ad injection by ISPs [30, 95], and insertion of malicious code of the organization that operates it (ISRG), and we discuss lessons by network devices [68]—which make HTTPS important for prac- learned from the experience.
    [Show full text]
  • Analysis of SSL Certificate Reissues and Revocations in the Wake
    Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed Liang Zhang David Choffnes Dave Levin Tudor Dumitra¸s Northeastern University Northeastern University University of Maryland University of Maryland [email protected] [email protected] [email protected] [email protected] Alan Mislove Aaron Schulman Christo Wilson Northeastern University Stanford University Northeastern University [email protected] [email protected] [email protected] ABSTRACT Categories and Subject Descriptors Central to the secure operation of a public key infrastruc- C.2.2 [Computer-Communication Networks]: Net- ture (PKI) is the ability to revoke certificates. While much work Protocols; C.2.3 [Computer-Communication Net- of users' security rests on this process taking place quickly, works]: Network Operations; E.3 [Data Encryption]: in practice, revocation typically requires a human to decide Public Key Cryptosystems, Standards to reissue a new certificate and revoke the old one. Thus, having a proper understanding of how often systems admin- istrators reissue and revoke certificates is crucial to under- Keywords standing the integrity of a PKI. Unfortunately, this is typi- Heartbleed; SSL; TLS; HTTPS; X.509; Certificates; Reissue; cally difficult to measure: while it is relatively easy to deter- Revocation; Extended validation mine when a certificate is revoked, it is difficult to determine whether and when an administrator should have revoked. In this paper, we use a recent widespread security vul- 1. INTRODUCTION nerability as a natural experiment. Publicly announced in Secure Sockets Layer (SSL) and Transport Layer Secu- April 2014, the Heartbleed OpenSSL bug, potentially (and rity (TLS)1 are the de-facto standards for securing Internet undetectably) revealed servers' private keys.
    [Show full text]
  • Certificate Transparency: New Part of PKI Infrastructure
    Certificate transparency: New part of PKI infrastructure A presentation by Dmitry Belyavsky, TCI ENOG 7 Moscow, May 26-27, 2014 About PKI *) *) PKI (public-key infrastructure) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates Check the server certificate The server certificate signed correctly by any of them? Many trusted CAs NO YES Everything seems to We warn the user be ok! DigiNotar case OCSP requests for the fake *.google.com certificate Source: FOX-IT, Interim Report, http://cryptome.org/0005/diginotar-insec.pdf PKI: extra trust Independent Trusted PKI source certificate DANE (RFC 6698) Certificate pinning Limited browsers support Mozilla Certificate Patrol, Chrome cache for Google certificates Certificate transparency (RFC 6962) Inspired by Google (Support in Chrome appeared) One of the authors - Ben Laurie (OpenSSL Founder) CA support – Comodo Certificate Transparency: how it works • Log accepts cert => SCT Client • Is SCT present and signed correctly? Client • Is SCT present and signed correctly? Auditor • Does log server behave correctly? Monitor • Any suspicious certs? Certificate Transparency: how it works Source: http://www.certificate-transparency.org Certificate Transparency how it works Source: http://www.certificate-transparency.org Certificate Transparency current state Google Chrome Support (33+) http://www.certificate-transparency.org/certificate-transparency-in-chrome Google Cert EV plan http://www.certificate-transparency.org/ev-ct-plan Certificate Transparency current state Open source code 2 pilot logs Certificate Transparency: protect from what? SAVE from MITM attack ü Warning from browser ü Site owner can watch logs for certs Do NOT SAVE from HEARTBLEED! Certificate transparency and Russian GOST crypto Russian GOST does not save from the MITM attack Algorithm SHA-256 >>> GOSTR34.11-2012 Key >>> GOST R 34.10-2012 Q&A Questions? Drop ‘em at: [email protected] .
    [Show full text]
  • An Empirical Analysis of Email Delivery Security
    Neither Snow Nor Rain Nor MITM . An Empirical Analysis of Email Delivery Security Zakir Durumeric† David Adrian† Ariana Mirian† James Kasten† Elie Bursztein‡ Nicolas Lidzborski‡ Kurt Thomas‡ Vijay Eranti‡ Michael Bailey§ J. Alex Halderman† † University of Michigan ‡ Google, Inc. § University of Illinois, Urbana Champaign {zakir, davadria, amirian, jdkasten, jhalderm}@umich.edu {elieb, nlidz, kurtthomas, vijaye}@google.com [email protected] ABSTRACT tolerate unprotected communication at the expense of user security. The SMTP protocol is responsible for carrying some of users’ most Equally problematic, users face a medium that fails to alert clients intimate communication, but like other Internet protocols, authen- when messages traverse an insecure path and that lacks a mechanism tication and confidentiality were added only as an afterthought. In to enforce strict transport security. this work, we present the first report on global adoption rates of In this work, we measure the global adoption of SMTP security SMTP security extensions, including: STARTTLS, SPF, DKIM, and extensions and the resulting impact on end users. Our study draws DMARC. We present data from two perspectives: SMTP server from two unique perspectives: longitudinal SMTP connection logs configurations for the Alexa Top Million domains, and over a year spanning from January 2014 to April 2015 for Gmail, one of the of SMTP connections to and from Gmail. We find that the top mail world’s largest mail providers; and a snapshot of SMTP server providers (e.g., Gmail, Yahoo,
    [Show full text]
  • Analysis of SSL Certificate Reissues And
    Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed Liang Zhang David Choffnes Dave Levin Tudor Dumitra¸s Northeastern University Northeastern University University of Maryland University of Maryland [email protected] [email protected] [email protected] [email protected] Alan Mislove Aaron Schulman Christo Wilson Northeastern University Stanford University Northeastern University [email protected] [email protected] [email protected] ABSTRACT Categories and Subject Descriptors Central to the secure operation of a public key infrastruc- C.2.2 [Computer-Communication Networks]: Net- ture (PKI) is the ability to revoke certificates. While much work Protocols; C.2.3 [Computer-Communication Net- of users' security rests on this process taking place quickly, works]: Network Operations; E.3 [Data Encryption]: in practice, revocation typically requires a human to decide Public Key Cryptosystems, Standards to reissue a new certificate and revoke the old one. Thus, having a proper understanding of how often systems admin- istrators reissue and revoke certificates is crucial to under- Keywords standing the integrity of a PKI. Unfortunately, this is typi- Heartbleed; SSL; TLS; HTTPS; X.509; Certificates; Reissue; cally difficult to measure: while it is relatively easy to deter- Revocation; Extended validation mine when a certificate is revoked, it is difficult to determine whether and when an administrator should have revoked. In this paper, we use a recent widespread security vul- 1. INTRODUCTION nerability as a natural experiment. Publicly announced in Secure Sockets Layer (SSL) and Transport Layer Secu- April 2014, the Heartbleed OpenSSL bug, potentially (and rity (TLS)1 are the de-facto standards for securing Internet undetectably) revealed servers' private keys.
    [Show full text]
  • Certificate Transparency Using Blockchain
    Certicate Transparency Using Blockchain D S V Madala1, Mahabir Prasad Jhanwar1, and Anupam Chattopadhyay2 1Department of Computer Science. Ashoka University, India 2School of Computer Science and Engineering. NTU, Singapore Abstract The security of web communication via the SSL/TLS protocols relies on safe distribu- tions of public keys associated with web domains in the form of X:509 certicates. Certicate authorities (CAs) are trusted third parties that issue these certicates. However, the CA ecosystem is fragile and prone to compromises. Starting with Google's Certicate Trans- parency project, a number of research works have recently looked at adding transparency for better CA accountability, eectively through public logs of all certicates issued by certica- tion authorities, to augment the current X:509 certicate validation process into SSL/TLS. In this paper, leveraging recent progress in blockchain technology, we propose a novel system, called CTB, that makes it impossible for a CA to issue a certicate for a domain without obtaining consent from the domain owner. We further make progress to equip CTB with certicate revocation mechanism. We implement CTB using IBM's Hyperledger Fabric blockchain platform. CTB's smart contract, written in Go, is provided for complete reference. 1 Introduction The overwhelming adoption of SSL/TLS (Secure Socket Layer/Transport Layer Security Proto- cols) [4, 33] for most HTTP trac has transformed the Internet into a communication platform with strong measures of condentiality and integrity. It is one
    [Show full text]
  • Public Key Distribution (And Certifications)
    Lecture 12 Public Key Distribution (and Certifications) (Chapter 15 in KPS) 1 A Typical KDC-based Key Distribution Scenario KDC = Key Distribution Center KDC EK[X] = Encryption of X with key K (1) Request|B|N1 (2) E [K |Request|N |E (K ,A)] Ka s 1 Kb s (3) E [K ,A] Kb s A (4) E [A,N ] Ks 2 B Notes: (5) E [f(N )] Ks 2 • Msg2 is tied to Msg1 • Msg2 is fresh/new • Msg3 is possibly old * • Msg1 is possibly old (KDC doesn’t authenticate Alice) • Bob authenticates Alice • Bob authenticates KDC 2 • Alice DOES NOT authenticate Bob Public Key Distribution • General Schemes: • Public announcement (e.g., in a newsgroup or email message) • Can be forged • Publicly available directory • Can be tampered with • Public-key certificates (PKCs) issued by trusted off-line Certification Authorities (CAs) 3 Certification Authorities • Certification Authority (CA): binds public key to a specific entity • Each entity (user, host, etc.) registers its public key with CA. • Bob provides “proof of identity” to CA. • CA creates certificate binding Bob to this public key. • Certificate containing Bob’s public key digitally signed by CA: CA says: “this is Bob’s public key” Bob’s digital PK public signature B key PK B certificate for Bob’s CA Bob’s private SK public key, signed by identifying key CA CA information 4 Certification Authority • When Alice wants to get Bob’s public key: • Get Bob’s certificate (from Bob or elsewhere) • Using CA’s public key verify the signature on Bob’s certificate • Check for expiration • Check for revocation (we’ll talk about this later) • Extract Bob’s public key Bob’s PK B digital Public signature Key PK B CA Public PK Key CA 5 A Certificate Contains • Serial number (unique to issuer) • Info about certificate owner, including algorithm and key value itself (not shown) • info about certificate issuer • valid dates • digital signature by issuer 6 Reflection Attack and a Fix • Original Protocol 1.
    [Show full text]
  • Certificate Transparency Description
    Certificate Transparency Description Certificate Transparency is an experimental protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit certificate authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. The intent is that eventually clients would refuse to honor certificates that do not appear in a log, effectively forcing CAs to add all issued certificates to the logs. Logs are network services that implement the protocol operations for submissions and queries that are defined in this document. (q.v. IETF RFC 6962) The objectives are described as: Make it very difficult for a CA to issue a TLS certificate for a domain without the certificate being visible to the owner of that domain. Provide an open auditing and monitoring system that lets any domain owner or CA determine whether certificates have been mistakenly or maliciously issued. Protect users from being duped by certificates that were mistakenly or maliciously issued. (q.v. https://www.certificate-transparency.org/what-is-ct) Note that end user TLS clients are not responsible for validating CT logs, all they need to do is enforce a requirement that certificates must have extensions that show that they were issued under these procedures by validating a Signed Certificate Timestamp (SCT) data object presented with the TLS server certificate. Monitors and Auditors have the primary responsibility of detecting anomalous certificates that were never submitted to the logs. According to wikipedia, the implementation status of the standard is as follows: Google launched its first certificate transparency log in March 2013.
    [Show full text]
  • Trust Me, I'm a Root CA! Analyzing SSL Root Cas in Modern Browsers
    Trust me, I’m a Root CA! Analyzing SSL Root CAs in modern Browsers and Operating Systems Tariq Fadai, Sebastian Schrittwieser Peter Kieseberg, Martin Mulazzani Josef Ressel Center for Unified Threat Intelligence SBA Research, on Targeted Attacks, Austria St. Poelten University of Applied Sciences, Austria Email: [pkieseberg,mmulazzani]@sba-research.org Email: [is101005,sebastian.schrittwieser]@fhstp.ac.at Abstract—The security and privacy of our online communi- tected communications is dependent on the trustworthiness cations heavily relies on the entity authentication mechanisms of various companies and governments. It is therefore of provided by SSL. Those mechanisms in turn heavily depend interest to find out which companies we implicitly trust just on the trustworthiness of a large number of companies and governmental institutions for attestation of the identity of SSL by using different operating system platforms or browsers. services providers. In order to offer a wide and unobstructed In this paper an analysis of the root certificates included in availability of SSL-enabled services and to remove the need various browsers and operating systems is introduced. Our to make a large amount of trust decisions from their users, main contributions are: operating systems and browser manufactures include lists of certification authorities which are trusted for SSL entity • We performed an in-depth analysis of Root Certifi- authentication by their products. This has the problematic cate Authorities in modern operating systems and web effect that users of such browsers and operating systems browsers implicitly trust those certification authorities with the privacy • We correlated them against a variety of trust indexes of their communications while they might not even realize it.
    [Show full text]
  • The Most Dangerous Code in the World: Validating SSL Certificates In
    The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software Martin Georgiev Subodh Iyengar Suman Jana The University of Texas Stanford University The University of Texas at Austin at Austin Rishita Anubhai Dan Boneh Vitaly Shmatikov Stanford University Stanford University The University of Texas at Austin ABSTRACT cations. The main purpose of SSL is to provide end-to-end security SSL (Secure Sockets Layer) is the de facto standard for secure In- against an active, man-in-the-middle attacker. Even if the network ternet communications. Security of SSL connections against an is completely compromised—DNS is poisoned, access points and active network attacker depends on correctly validating public-key routers are controlled by the adversary, etc.—SSL is intended to certificates presented when the connection is established. guarantee confidentiality, authenticity, and integrity for communi- We demonstrate that SSL certificate validation is completely bro- cations between the client and the server. Authenticating the server is a critical part of SSL connection es- ken in many security-critical applications and libraries. Vulnerable 1 software includes Amazon’s EC2 Java library and all cloud clients tablishment. This authentication takes place during the SSL hand- based on it; Amazon’s and PayPal’s merchant SDKs responsible shake, when the server presents its public-key certificate. In order for transmitting payment details from e-commerce sites to payment for the SSL connection to be secure, the client must carefully verify gateways; integrated shopping carts such as osCommerce, ZenCart, that the certificate has been issued by a valid certificate authority, Ubercart, and PrestaShop; AdMob code used by mobile websites; has not expired (or been revoked), the name(s) listed in the certifi- Chase mobile banking and several other Android apps and libraries; cate match(es) the name of the domain that the client is connecting Java Web-services middleware—including Apache Axis, Axis 2, to, and perform several other checks [14, 15].
    [Show full text]