Linköping University | Department of Computer and Information Science Master thesis, 30 ECTS | Datateknik 2019 | LIU-IDA/LITH-EX-A--19/079--SE Characterizing the HTTPS Trust Landscape – A Passive View from the Edge Karaktärisering av HTTPS Förtroende-Landskap Gustaf Ouvrier Supervisor : Niklas Carlsson, Martin Arlitt Examiner : Niklas Carlsson Linköpings universitet SE–581 83 Linköping +46 13 28 10 00 , www.liu.se Upphovsrätt Detta dokument hålls tillgängligt på Internet - eller dess framtida ersättare - under 25 år från publicer- ingsdatum under förutsättning att inga extraordinära omständigheter uppstår. Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner, skriva ut enstaka ko- pior för enskilt bruk och att använda det oförändrat för ickekommersiell forskning och för undervis- ning. Överföring av upphovsrätten vid en senare tidpunkt kan inte upphäva detta tillstånd. All annan användning av dokumentet kräver upphovsmannens medgivande. För att garantera äktheten, säker- heten och tillgängligheten finns lösningar av teknisk och administrativ art. Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i den omfattning som god sed kräver vid användning av dokumentet på ovan beskrivna sätt samt skydd mot att dokumentet ändras eller presenteras i sådan form eller i sådant sammanhang som är kränkande för upphovsman- nens litterära eller konstnärliga anseende eller egenart. För ytterligare information om Linköping University Electronic Press se förlagets hemsida http://www.ep.liu.se/. Copyright The publishers will keep this document online on the Internet - or its possible replacement - for a period of 25 years starting from the date of publication barring exceptional circumstances. The online availability of the document implies permanent permission for anyone to read, to down- load, or to print out single copies for his/hers own use and to use it unchanged for non-commercial research and educational purpose. Subsequent transfers of copyright cannot revoke this permission. All other uses of the document are conditional upon the consent of the copyright owner. The publisher has taken technical and administrative measures to assure authenticity, security and accessibility. According to intellectual property law the author has the right to be mentioned when his/her work is accessed as described above and to be protected against infringement. For additional information about the Linköping University Electronic Press and its procedures for publication and for assurance of document integrity, please refer to its www home page: http://www.ep.liu.se/. © Gustaf Ouvrier Abstract Our society increasingly relies on the Internet for common services like online banking, shopping, and socializing. Many of these services heavily depend on secure end-to-end transactions to transfer personal, financial, or other sensitive information. At the core of ensuring secure transactions are the TLS/SSL protocol and the “trust” relationships between all involved partners. In this thesis we passively monitor the HTTPS traffic between a campus network and the Internet, and characterize the certificate usage and trust relationships in this complex landscape. By comparing our observations against known vulnerabilities and problems, we provide an overview of the actual security that typical Internet users (such as the people on campus) experience. Our measurements cover both mobile and stationary users, consider the involved trust relationships, and provide insights into how the HTTPS protocol is used and the weaknesses observed in practice. Contents Abstract iii Contents iv List of Figures vi List of Tables vii 1 Introduction 1 1.1 Motivation . 1 1.2 Aim............................................ 2 1.3 Research Questions . 2 1.4 Delimitations . 2 1.5 Contributions . 3 2 Theory 4 2.1 Security Aspects . 4 2.2 Cryptographic Primitives . 5 2.3 Transport Layer Security . 10 2.4 Public Key Infrastructure . 13 2.5 Validating Certificate . 16 2.6 Certificate Issuance . 17 3 Method 19 3.1 Data Collection . 19 3.2 Data Processing . 19 3.3 Analyzing the Data . 21 4 Results 22 4.1 Summary of Dataset . 22 4.2 Ratio between HTTP and HTTPS . 23 4.3 Trust in Browsers . 24 4.4 Trust in Certificate Authorities . 26 4.5 Trust in Protocol Version and Cipher Suite Selection . 32 4.6 Session Quality Evaluation . 45 5 Discussion 47 5.1 Ratio between HTTP and HTTPS . 47 5.2 Trust in Browsers . 47 5.3 Trust in Certificate Authorities . 48 5.4 Trust in Protocol Version and Cipher Suite Selection . 50 5.5 Methodology . 52 5.6 Wider Context . 53 iv 6 Conclusion 54 6.1 What are the Most Significant Trust Relationships in HTTPS Communication and How Trustworthy are They Actually in Practice? . 54 6.2 Are There Any Significant Differences between the Security of Mobile and Sta- tionary User Devices in HTTPS Communication? . 57 6.3 What Is the Quality of the Actual Security that Typical Users Experience when Accessing the Internet Using HTTPS? . 58 6.4 Future Work . 59 Bibliography 60 A Appendix 63 v List of Figures 1.1 Relationships and involved parties. 1 2.1 Hash function. 5 2.2 Symmetric-key cryptography. 6 2.3 Message authentication code. 7 2.4 Asymmetric-key cryptography. 8 2.5 Digital signature scheme. 8 2.6 Man in the middle attack scenario. 9 2.7 Full TLS handshake. 11 2.8 Abbreviated TLS handshake. 13 2.9 Simplified scenario of PKIX in TLS protocol. 14 2.10 Certificate landscape example. 15 2.11 Schematic view of X.509 version 3 certificate format. 16 2.12 Chrome browser certificate validation indicator. 17 3.1 Log file processing. 21 4.1 Number of established sessions plotted over time. Shows total number of sessions as well as the subsets of sessions using HTTP and HTTPS. 23 4.2 Cumulative distribution function (CDF) of certificate validity period lengths. 29 4.3 Complementary cumulative distribution function (CCDF) of number domain names per certificate. 30 4.4 Clustered histogram showing the relation between offered and used protocol ver- sions. Each cluster shows the observed shares for the total number of sessions as well as the mobile and stationary subsets. The Y-axis is represented with a log- scale for better presentation of the small measurements. 33 4.5 Top-15 selected encryption ciphers by the server in the cipher suite selection pro- cess. Each cluster shows a breakdown of the observed frequency for four subsets: sessions using mobile devices, stationary devices, protocol TLSv10, and protocol TLSv12. 34 4.6 Top-15 offered encryption ciphers by the client in the cipher suite selection pro- cess. Each cluster shows a breakdown of the observed frequency for four subsets: sessions using mobile devices, stationary devices, protocol TLSv10, and protocol TLSv12. 35 4.7 Complementary cumulative distribution function (CCDF) of cipher suite list sizes offered by client and cumulative distribution function (CDF) of downgrades by the server. 43 4.8 Cumulative distribution function (CDF) of RC4 Cipher when chosen by server. 45 4.9 Clustered histogram of the session quality evaluation based on the four-level se- curity classification. 46 vi List of Tables 4.1 Dataset overview. 22 4.2 Browser share. 24 4.3 Chrome version distribution. 25 4.4 Safari version distribution. 25 4.5 Firefox version distribution. 25 4.6 Internet Explorer version distribution. 25 4.7 Top 10 organizations signing leaf certificates. 26 4.8 Top-six certificates authorities signing EV certificates. 26 4.9 Certificate signature algorithms grouped on type. 27 4.10 Certificate public key grouped on type and key sizes. 28 4.11 Domain name validation. 31 4.12 Certificate validation. 31 4.13 Key exchange algorithms used. 37 4.14 Top-10 key exchange algorithms offered. 37 4.15 Export-grade key exchange algorithms offered. 39 4.16 Encryption algorithms used. 39 4.17 Encryption algorithms offered. 41 4.18 MAC algorithms used. 42 4.19 MAC algorithms offered by client. 42 5.1 Browser usage and version distribution. 47 A.1 Protocol versions offered/used. Data points for Figure 4.4. 63 A.2 Cipher suite used. Data points for Figure 4.5. 64 A.3 Cipher suite offered. Data points for Figure 4.6. 64 A.4 Offered key exchange algorithms. Full version of Table 4.14. 65 A.5 List size and downgrades. The majority of the data points for Figure 4.7. 66 A.6 RC4 cipher position when chosen by server. Data points for Figure 4.8. 66 vii 1 Introduction 1.1 Motivation We are living in an information society in which organizations and individual users increas- ingly rely on the end-to-end security and privacy offered by the HTTPS protocol. With HTTPS, regular Hypertext Transfer Protocol (HTTP) requests and responses are securely transferred over an end-to-end connection encrypted using Transport Layer Security (TLS) or its predecessor Secure Sockets Layer (SSL). With increased value of the information exchanged over the Internet, it is perhaps not sur- prising that HTTPS usage is increasing [21]. HTTPS can provide secure end-to-end transfers of money and other sensitive information, and is often used by authentication-based ser- vices such as online banking, shopping sites, and social networking services. With increased awareness of wiretapping and manipulation of.