The Web PKI in Practice and Malpractice Bruce Maggs Duke University and Akamai Technologies Joint work with Frank Cangialosi, Taejoong Chung, Yabing Liu, Will Tome, Liang Zhang, David Choffnes, Dave Levin, Alan Mislove, Aaron Schulman, and Christo Wilson.

Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website public Certificate private Vetting Certificate Authority Certificate is indeed BoA The owner of Certificate

Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website Certificate public Certificate private Certificate Authority

Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? ✓ Browser Website Certificate public Certificate private Certificate Authority

Verifying certificates ✓ “I’m because I say so!” Certificate Root key store Every device has one Must not contain malicious certificates ✓ Certificate “I’m because says so” Browser ✓ Certificate “I’m because says so”

Certificate revocation What happens when a certificate is no longer valid? Website Certificate ✗ Browser ✗ Certificate Certificate Periodically pull / query (CRL) (OCSP) Attacker Certificate Certificate Authority Please revoke Certificate ✗ Certificate ✗ Certificate Revocation

Certificate revocation is a critical part of any PKI Administrators must revoke and reissue as quickly as possible Browsers/OSes should obtain revocations as quickly as possible

But Checking Comes at a Cost Browser Website Certificate Certificate Revoked? Certificate Authority Browsers want pages to load quickly CAs and mobile devices want to reduce bandwidth costs

Certificate Authority OCSP Stapling Browser Website Certificate Certificate Certificate ✔ Certificate Authority Certificate ✗ But OCSP Stapling rarely activated by admins: Our scan: 3% of normal certs; 2% of EV certs

Testing browser behavior Revocation protocols Browsers should support all major protocols CRLs, OCSP, OCSP stapling Availability of revocation info Browsers should reject certs they cannot check E.g., because the OCSP server is down Chain lengths Browsers should reject a cert if any on the chain fail Leaf, intermediate(s), root Leaf Root Intermediate … signs

Test harness Implemented 192 tests using fake root certificate + Javascript Unique DNS name, cert chain, CRL/OCSP responder, …

EV Certificates Vetting Does the more thorough vetting process More thorough vetting process of CAs and clients Normal Extended Validation Website Certificate Authority Certificate Vetting Does the more thorough vetting process translate into better security practices? is indeed BoA The owner of

Results across all browsers Safari Checks CRLs and OCSP Allows if revocation info unavailable Except for first intermediate, for CRLs Does not support OCSP stapling Firefox Never checks CRLs Only checks intermediates for EV certs Allows if revocation info unavailable Supports OCSP stapling Internet Explorer Checks CRLs and OCSP Often rejects if revocation info unavailable Pops up alert for leaf in IE 10+ Supports OCSP stapling Chrome Generally, only checks for EV certs ~3% of all certs Allows if revocation info unavailable Supports OCSP stapling Mobile Browsers Uniformly never check Android browsers request Staple …and promptly ignore it ✔ Passes test ✗ Fails test EV Passes for EV certs I Ignores OCSP Staple A Pops up alert to user L/W Passes on Linux/Win.

Results across all browsers Browser developers are not doing what the PKI needs them to do ✔ Passes test ✗ Fails test EV Passes for EV certs I Ignores OCSP Staple A Pops up alert to user L/W Passes on Linux/Win.

No browser correctly checks all revocations Browsers/OSes should obtain revocations as quickly as possible but they don’t No browser correctly checks all revocations Mobile browsers are completely negligent IE is the most responsible (!?) Browser developers are not doing what the PKI needs them to do

Surprising Fact #1 Browsers on cell phones do not do any checking for certificate revocation. You don’t really know if you are visiting your bank’s web site.

Securing Private Keys RFC 5208: …failure of users to protect their private keys will permit an attacker to masquerade as them or decrypt their personal information.

Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? The only one who knows Alice’s private key is Alice Browser Website Certificate Certificate Verification Revocation checking Vetting Certificate Authority

Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? The only one who knows Alice’s private key is Alice CDN Browser Verification Key sharing Revocation checking Certificate Authority Website Certificate Certificate Vetting

How are keys shared? Delegate Delegate Certificate Certificate

Why are CDNs holding private keys? Trend towards serving all content securely Trend towards whole-site delivery through CDNs Split TCP Browser CDN Website TCP three-way handshake TLS handshake Persistent TCP Connection

How are keys shared? Copied aws Delegated Aggregated Vet & issue Upload aws Delegated Vet Issue Vet Aggregated Issue

Subject Alternate Name (SAN) Lists Multiple names for the same organization Spirit:

Subject Alternate Name (SAN) Lists Multiple names for the same organization Spirit: Different organizations lumped together Practice: Who gets the private key? Who manages it? Cruise-liner Certificate

Domain equivalence Given two domains, are they the same organization? Same administrative domain whois google.com Registrant Email: Admin Email: Tech Email: dns-admin@google.com dns-admin@google.com google.co.uk dns-admin@google.com google.de zagat.com golang.org Emails in whois records reflect administrative domain (or at least point of contact)

Domain equivalence Given two domains, are they the same organization? Same administrative domain google.com dns-admin@google.com dns-admin@google.com dns-admin@google.com whois google.co.uk Registrant Email: Admin Email: Tech Email: dns-admin@google.com google.de zagat.com golang.org

Domain equivalence Given two domains, are they the same organization? Same administrative domain google.com google.co.uk dns-admin@google.com dns-admin@google.com dns-admin@google.com google.de whois Registrant Email: Admin Email: Tech Email: dns-admin@google.com zagat.com golang.org

Domain equivalence Given two domains, are they the same organization? Same administrative domain google.com google.co.uk google.de dns-admin@google.com dns-admin@google.com dns-admin@google.com zagat.com golang.org

Domain equivalence challenges Some admin overlap that doesn’t reflect website administration google.com google.co.uk google.de dns-admin@google.com google.co.tz support@itfarm.co.tz ccops@markmonitor.com peroniitaly.co.tz 1,457 okcupid.com tommyhilfiger.fr sonypictures.de

Domain equivalence challenges Registrars hide customers behind common email addresses 23,276 whois@bluehost.com 14,145 contact@privacyprotect.org 8,741 proxy@whoisprotectservice.com Approach: Mark some email addresses as “non-permissible”

Domain equivalence challenges Some admin overlap that doesn’t reflect website administration Strongly connected Weakly connected Strongly connected Approach: Iteratively apply a clustering algorithm to cull edges

Domain equivalence results ..certs with no SAN list ..certs with one-org SAN ..certs with multiple orgs Total # of.. 203,394 4,692,393 161,810 #Domains on.. 124,746 2,265,090 305,904 #Orgs on.. 109,994 1,994,279 255,901

Domain equivalence results ..certs with no SAN list ..certs with one-org SAN ..certs with multiple orgs Total # of.. 203,394 4,692,393 161,810 #Domains on.. 124,746 2,265,090 305,904 #Orgs on.. 109,994 1,994,279 255,901 3% of all valid certificates violate the typical one-organization assumption

Domain equivalence Registrant Email: domain_names@ Admin Email: iadmincontact@ Tech Email: DSU.ServiceDelivery@ nestle.com whois purina.com dogchow.com nestle.com

Domain equivalence nestle.com nestle.com dogchow.com purina.com

Domain equivalence nestle.com purinaone.co.nz nwnasourceblog.com dogchow.com purina.com mycatperksnatural.com purina.com

161,812 (3.2%) certificates contain multiple organizations Expected behavior (96.8%) CloudFlare Maximum: 310

Use of Cruise-Liner Certificates Why do some CDNs put domains from different organizations on the same certificates while others do not? Windows XP artifact: no support for the TLS “Server Name Indication” extension To avoid an error, the Web server must provide the correct certificate to the Windows XP browser without any hint of which domain is to be requested Kludge: serve certificates for different domains from different network addresses One CDN has quietly amassed over 10M IPv4 addresses for this purpose

Keys have been heavily aggregated secureserver.net unifiedlayer.com amazonaws.com CloudFlareInc. RackspaceHosting. akamaitechnologies.com 266,110 151,628 117.229 78,369 54,158 15,440 … #Organizations Hosting provider 277,891 175,089 122,158 87,077 63,418 22,671 #Domains

Key sharing makes ripe targets of attack 60% of the most popular websites are hosted on the same provider

Key sharing in the web’s PKI How often do organizations share their private keys? 50% share with ≥1 provider Most and least popular websites are more likely to share How many keys have providers aggregated? Some providers have 100k+ Aggregation has made them ripe targets for attack

Surprising Fact #2 Some hosting companies have copies of the private keys belonging to thousands of other organizations. A compromise of any one of these hosting companies would be catastrophic for web security.

Taken for Granted A browser can only verify that it is talking to the desired web site if it receives a valid certificate.

Certificate Scan Corpus Scan all of IPv4 port 443 156 scans by U. Michigan June 2012-Jan 2014 74 scans by Rapid7 October 2013-March 2015 80.4M distinct certificates seen

Invalid Certificates 72.4M invalid (90.0%) 85.6% self-signed 67% per scan (median) 85.6% self-signed 11.6% signed by untrusted certificate 2.3% otherwise valid but expired

Issuers of Certificates

Networks Hosting Certificates

Devices Issuing Invalid Certificates (top 50 issuers) Merck-Stadion am Böllenfalltor

Sharing A Public/Private Key Pair A single public key appears in 4,586,469 invalid certificates (6.5%). The corresponding devices must also share the same private key. All issued by Lancom Systems, a Germany company that makes home routers.

Leverage Compromised Home Cable Modems/Routers

Account Takeover Campaign Attack Architecture

Attacking IP Persistence: Finance Customer 75% Multi-day Attackers 427,444,261 Accounts Checked

Surprising Fact #3 Over 90% of default certificates served in complete scans of IPv4 port 443 were invalid! The corresponding “web sites” cannot be authenticated.

Room for improvement No browser fully checks for revocations (and IE is the best!) CDNs and other hosting providers play a highly trusted role in the PKI Can new protocols mitigate the need for key sharing? 90% of certificates in use don’t permit authentication securepki.org We want to understand and improve