Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Web PKI in Practice and Malpractice

Published byJohn Pierce Modified over 7 years ago

Similar presentations

Presentation on theme: "The Web PKI in Practice and Malpractice"— Presentation transcript:

1 The Web PKI in Practice and Malpractice
Bruce Maggs Duke University and Akamai Technologies Joint work with Frank Cangialosi, Taejoong Chung, Yabing Liu, Will Tome, Liang Zhang, David Choffnes, Dave Levin, Alan Mislove, Aaron Schulman, and Christo Wilson.

2 Public Key Infrastructures (PKIs)
How can users truly know with whom they are communicating? Browser Website public Certificate private Vetting Certificate Authority Certificate is indeed BoA The owner of Certificate

3 Public Key Infrastructures (PKIs)
How can users truly know with whom they are communicating? Browser Website Certificate public Certificate private Certificate Authority

4 Public Key Infrastructures (PKIs)
How can users truly know with whom they are communicating? Browser Website Certificate public Certificate private Certificate Authority

5 Verifying certificates
“I’m because I say so!” Certificate Root key store Every device has one Must not contain malicious certificates Certificate “I’m because says so” Browser Certificate “I’m because says so”

6 Certificate revocation
What happens when a certificate is no longer valid? Website Certificate Browser Certificate Certificate Periodically pull / query (CRL) (OCSP) Attacker Certificate Certificate Authority Please revoke Certificate Certificate Certificate Revocation

7 Certificate revocation
is a critical part of any PKI Administrators must revoke and reissue as quickly as possible Browsers/OSes should obtain revocations as quickly as possible

8 But Checking Comes at a Cost
Browser Website Certificate Certificate Revoked? Certificate Authority Browsers want pages to load quickly CAs and mobile devices want to reduce bandwidth costs

9 Certificate Authority
OCSP Stapling Browser Website Certificate Certificate Certificate Certificate Authority Certificate But OCSP Stapling rarely activated by admins: Our scan: 3% of normal certs; 2% of EV certs

10 Testing browser behavior
Revocation protocols Browsers should support all major protocols CRLs, OCSP, OCSP stapling Availability of revocation info Browsers should reject certs they cannot check E.g., because the OCSP server is down Chain lengths Browsers should reject a cert if any on the chain fail Leaf, intermediate(s), root Leaf Root Intermediate signs

11 Test harness Implemented 192 tests using fake root certificate + Javascript Unique DNS name, cert chain, CRL/OCSP responder, …

12 EV Certificates Vetting Does the more thorough vetting process
More thorough vetting process of CAs and clients Normal Extended Validation Website Certificate Authority Certificate Vetting Does the more thorough vetting process translate into better security practices? is indeed BoA The owner of

13 Results across all browsers
Safari Checks CRLs and OCSP Allows if revocation info unavailable Except for first intermediate, for CRLs Does not support OCSP stapling Firefox Never checks CRLs Only checks intermediates for EV certs Allows if revocation info unavailable Supports OCSP stapling Internet Explorer Checks CRLs and OCSP Often rejects if revocation info unavailable Pops up alert for leaf in IE 10+ Supports OCSP stapling Chrome Generally, only checks for EV certs ~3% of all certs Allows if revocation info unavailable Supports OCSP stapling Mobile Browsers Uniformly never check Android browsers request Staple …and promptly ignore it ✔ Passes test ✗ Fails test EV Passes for EV certs I Ignores OCSP Staple A Pops up alert to user L/W Passes on Linux/Win.

14 Results across all browsers
Browser developers are not doing what the PKI needs them to do ✔ Passes test ✗ Fails test EV Passes for EV certs I Ignores OCSP Staple A Pops up alert to user L/W Passes on Linux/Win.

15 No browser correctly checks all revocations
Browsers/OSes should obtain revocations as quickly as possible but they don’t No browser correctly checks all revocations Mobile browsers are completely negligent IE is the most responsible (!?) Browser developers are not doing what the PKI needs them to do

16 Surprising Fact #1 Browsers on cell phones do not do any checking for certificate revocation. You don’t really know if you are visiting your bank’s web site.

17 Securing Private Keys RFC 5208: …failure of users to protect their private keys will permit an attacker to masquerade as them or decrypt their personal information.

18 Public Key Infrastructures (PKIs)
How can users truly know with whom they are communicating? The only one who knows Alice’s private key is Alice Browser Website Certificate Certificate Verification Revocation checking Vetting Certificate Authority

19 Public Key Infrastructures (PKIs)
How can users truly know with whom they are communicating? The only one who knows Alice’s private key is Alice CDN Browser Verification Key sharing Revocation checking Certificate Authority Website Certificate Certificate Vetting

20 How are keys shared? Delegate Delegate Certificate Certificate

21 Why are CDNs holding private keys?
Trend towards serving all content securely Trend towards whole-site delivery through CDNs Split TCP Browser CDN Website TCP three-way handshake TLS handshake Persistent TCP Connection

22 How are keys shared? Copied aws Delegated Aggregated Vet & issue
Upload aws Delegated Vet Issue Vet Aggregated Issue

23 Subject Alternate Name (SAN) Lists
Multiple names for the same organization Spirit:

24 Subject Alternate Name (SAN) Lists
Multiple names for the same organization Spirit: Different organizations lumped together Practice: Who gets the private key? Who manages it? Cruise-liner Certificate

25 Domain equivalence Given two domains, are they the same organization?
Same administrative domain whois google.com Registrant Admin Tech google.co.uk google.de zagat.com golang.org s in whois records reflect administrative domain (or at least point of contact)

26 Domain equivalence Given two domains, are they the same organization?
Same administrative domain google.com whois google.co.uk Registrant Admin Tech google.de zagat.com golang.org

27 Domain equivalence Given two domains, are they the same organization?
Same administrative domain google.com google.co.uk google.de whois Registrant Admin Tech zagat.com golang.org

28 Domain equivalence Given two domains, are they the same organization?
Same administrative domain google.com google.co.uk google.de zagat.com golang.org

29 Domain equivalence challenges
Some admin overlap that doesn’t reflect website administration google.com google.co.uk google.de google.co.tz peroniitaly.co.tz 1,457 okcupid.com tommyhilfiger.fr sonypictures.de

30 Domain equivalence challenges
Registrars hide customers behind common addresses 23,276 14,145 8,741 Approach: Mark some addresses as “non-permissible”

31 Domain equivalence challenges
Some admin overlap that doesn’t reflect website administration Strongly connected Weakly connected Strongly connected Approach: Iteratively apply a clustering algorithm to cull edges

32 Domain equivalence results
..certs with no SAN list ..certs with one-org SAN ..certs with multiple orgs Total # of.. 203,394 4,692,393 161,810 #Domains on.. 124,746 2,265,090 305,904 #Orgs on.. 109,994 1,994,279 255,901

33 Domain equivalence results
..certs with no SAN list ..certs with one-org SAN ..certs with multiple orgs Total # of.. 203,394 4,692,393 161,810 #Domains on.. 124,746 2,265,090 305,904 #Orgs on.. 109,994 1,994,279 255,901 3% of all valid certificates violate the typical one-organization assumption

34 Domain equivalence Registrant Email: domain_names@
Admin Tech nestle.com whois purina.com dogchow.com nestle.com

35 Domain equivalence nestle.com nestle.com dogchow.com purina.com

36 Domain equivalence nestle.com purinaone.co.nz nwnasourceblog.com
dogchow.com purina.com mycatperksnatural.com purina.com

37 161,812 (3.2%) certificates contain multiple organizations
Expected behavior (96.8%) CloudFlare Maximum: 310

38 Use of Cruise-Liner Certificates
Why do some CDNs put domains from different organizations on the same certificates while others do not? Windows XP artifact: no support for the TLS “Server Name Indication” extension To avoid an error, the Web server must provide the correct certificate to the Windows XP browser without any hint of which domain is to be requested Kludge: serve certificates for different domains from different network addresses One CDN has quietly amassed over 10M IPv4 addresses for this purpose

39 Keys have been heavily aggregated
secureserver.net unifiedlayer.com amazonaws.com CloudFlareInc. RackspaceHosting. akamaitechnologies.com 266,110 151,628 78,369 54,158 15,440 #Organizations Hosting provider 277,891 175,089 122,158 87,077 63,418 22,671 #Domains

40 Key sharing makes ripe targets of attack
60% of the most popular websites are hosted on the same provider

41 Key sharing in the web’s PKI
How often do organizations share their private keys? 50% share with ≥1 provider Most and least popular websites are more likely to share How many keys have providers aggregated? Some providers have 100k+ Aggregation has made them ripe targets for attack

42 Surprising Fact #2 Some hosting companies have copies of the private keys belonging to thousands of other organizations. A compromise of any one of these hosting companies would be catastrophic for web security.

43 Taken for Granted A browser can only verify that it is talking to the desired web site if it receives a valid certificate.

44 Certificate Scan Corpus
Scan all of IPv4 port 443 156 scans by U. Michigan June 2012-Jan 2014 74 scans by Rapid7 October 2013-March 2015 80.4M distinct certificates seen

45 Invalid Certificates 72.4M invalid (90.0%) 85.6% self-signed
67% per scan (median) 85.6% self-signed 11.6% signed by untrusted certificate 2.3% otherwise valid but expired

46 Issuers of Certificates

47 Networks Hosting Certificates

48 Devices Issuing Invalid Certificates (top 50 issuers)
Merck-Stadion am Böllenfalltor

49 Sharing A Public/Private Key Pair
A single public key appears in 4,586,469 invalid certificates (6.5%). The corresponding devices must also share the same private key. All issued by Lancom Systems, a Germany company that makes home routers.

50 Leverage Compromised Home Cable Modems/Routers

51 Account Takeover Campaign Attack Architecture

52 Attacking IP Persistence: Finance Customer
75% Multi-day Attackers 427,444,261 Accounts Checked

53 Surprising Fact #3 Over 90% of default certificates served in complete scans of IPv4 port 443 were invalid! The corresponding “web sites” cannot be authenticated.

54 Room for improvement No browser fully checks for revocations
(and IE is the best!) CDNs and other hosting providers play a highly trusted role in the PKI Can new protocols mitigate the need for key sharing? 90% of certificates in use don’t permit authentication securepki.org We want to understand and improve

Download ppt "The Web PKI in Practice and Malpractice"

Similar presentations

Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CP3397 ECommerce.

CP3397 ECommerce.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP.

© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Implementing Native Mode and Internet Based Client Management.

Implementing Native Mode and Internet Based Client Management.
The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.

The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Similar presentations

Ads by Google