Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured...
Transcript of Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured...
![Page 1: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/1.jpg)
Certificate Authority Collapse
A.M. Arnbak LL.M.
Can HTTPS Web Browsing Be Secured
Through Regulation?
Hong Kong University, Law Tech Talk, 26 February 2013
![Page 2: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/2.jpg)
Work in Progress
Paper v2.0 due in two weeks
2
![Page 3: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/3.jpg)
Outline Presentation
• HTTPS
• DigiNotar
• Landmark breach
• Insightful, illegitimate mitigation
• HTTPS: Systemic vulnerabilities
• Sweeping EU Proposal: eSignatures Regulation
• Conclusions
3
![Page 4: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/4.jpg)
HTTPS: The Padlock
4
![Page 5: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/5.jpg)
HTTPS* uses SSL/TLS PKI protocol:
Handshake → Encryption
5
*also used by apps, FTP/SMTP/SIP
![Page 6: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/6.jpg)
HTTPS „Handshake‟ Data Flows
6
![Page 7: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/7.jpg)
Prevents (?) Man in the Middle Attack
7
![Page 8: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/8.jpg)
Outline Presentation
• HTTPS
• DigiNotar
• Landmark breach
• Insightful, illegitimate mitigation
• HTTPS: Systemic vulnerabilities
• Sweeping EU Proposal: eSignatures Regulation
• Conclusions
8
![Page 9: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/9.jpg)
9
DigiNotar
9
![Page 10: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/10.jpg)
Dutch Government Got off to a Good Start:
„Stop Using Teh Interwebz!‟
• Minister Donner:
“Don’t do it; use
letters and bank
cheques, just like me”
10
De Telegraaf, Frontpage, 5 Sept. 2011:
![Page 11: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/11.jpg)
Piet Hein Donner
11
![Page 12: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/12.jpg)
False certificates
• 26: *.google.com
• 22: *.skype.com
• 14: *.torproject.org
• 20: Comodo Root CA
• 45: Thawte Root CA
• 17: addons.mozilla.org
• 4: update.microsoft.com
• 25: www.cia.gov
12
• Forensic report:
![Page 13: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/13.jpg)
Google: 300.000 IP addresses affected
The list of domains and the fact that 99% of the users are in Iran
„suggest‟ that the objective of the hackers is to intercept private
communications in Iran. Numbers are, however, contentious
13
![Page 14: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/14.jpg)
... Actually very uncertain
• OCSP logging highly contentious
– Not supported by all browsers and clients
– Could have been faked by attackers
• This seems the case. From the new forensic report:
http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2012/08/13/black-tulip-update/black-tulip-update.pdf
14
![Page 15: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/15.jpg)
Time Line & Policy Responses
• 06 June: Possibly first exploration by the attacker(s)
• 19 June: Incident detected by DigiNotar by daily audit procedure
• 10 July: The first succeeded rogue certificate (*.Google.com)
• 04 August: Start massive activity of *.google.com
• 27 August: First mention of *.google.com certificate in blog
• 29 August: DigiNotar‟s *.google.com certificate is revoked
• 2-3 September: Dutch government takes over DigiNotar
• All September: Microsoft delays automatic security patches
• 20 September: DigiNotar bankrupt
• >today: Reporting/analysis
• >today: gradual transition, DigiNotar certificates still used!
15
![Page 16: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/16.jpg)
Open Questions…
• Actual damage of the DigiNotar breach?
• Legal basis for government take-over?
• Why did the government not kill the DigiNotar servers?
• Revocation: wheeling and dealing with Microsoft?
16
![Page 17: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/17.jpg)
Outline Presentation
• HTTPS
• DigiNotar
• Landmark breach
• Insightful, illegitimate mitigation
• HTTPS: Systemic vulnerabilities
• Sweeping EU Proposal: eSignatures Regulation
• Conclusions
17
![Page 18: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/18.jpg)
HTTPS „Handshake‟ Stakeholders
18
![Page 19: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/19.jpg)
To name a few…
• Any CA can vouch for any domain name
– Any CA single point of failure
• Root CAs: default trust by browser
– Based upon paper audit, no forensic tests
• Subordinate CAs: market for subletting root status
– Premium brands versus cheap brands – security?
• Revocation: browser trade-off connectivity ↔ security
– CA scale is risk vector: big CA‟s won‟t be revoked
• Websites implement HTTPS poorly
– Only 19.2% up to date (SSL Pulse, 2013)
19
![Page 20: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/20.jpg)
Actor-based Value Chain Approach:
Every Actor Part of the Problem
20
![Page 21: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/21.jpg)
HTTPS market: 100+ CA‟s, 54
jurisdictions, 50+ government-owned
21
![Page 22: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/22.jpg)
HTTPS market: new empirical data [1]
22
![Page 23: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/23.jpg)
HTTPS market: new empirical data [2]
23
![Page 24: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/24.jpg)
Why not more often abused? Threat model:
States and Corporations, not cybercriminals
24
“Many attacks cannot be made profitable, even when
many profitable targets exist.”
http://weis2011.econinfosec.org/papers/Where%20D
o%20All%20the%20Attacks%20Go.pdf
![Page 25: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/25.jpg)
Outline Presentation
• HTTPS
• DigiNotar
• Landmark breach
• Insightful, illegitimate mitigation
• HTTPS: Systemic vulnerabilities
• Sweeping EU Proposal: eSignatures Regulation
• Conclusions
25
![Page 26: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/26.jpg)
EU Proposal: eSignatures Regulation
• June 2012: EU eSignatures Regulation
• Once adopted, direct binding force in 27 Member States
• All crucial issues discussed in § 4 paper
• Today, 3 issues in focus
– Underlying Values
– Scope
– Liability
26
![Page 27: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/27.jpg)
In focus: underlying values
• Rationale EU Proposal
– “Facilitate digital economy”
– … that‟s it???
• Other interests go unmentioned!
– Reliability, confidentiality, integrity of communications
– Constitutional values: communications freedom, privacy
• Real consequences
– Balancing exercises of executive power
– Formulation of delegated acts
27
![Page 28: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/28.jpg)
In focus: scope
• EU proposal
– „Trust service providers‟ established in EU
• Includes CA‟s issuing SSL certificates
• Other critical stakeholders unregulated
– Explanatory memo. hints at requirements for websites
– But: „responsibility of the HTTPS market‟
• Exceptionally poor argument: „not all EU organisations are
securing their website‟ (p. 35 & 87 Imp Assessment)
• Real consequences
– Disproportionate burden on subset of HTTPS value chain
28
![Page 29: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/29.jpg)
In focus: liability [1]
• EU proposal, art. 9(1):
– „liable for any direct damage (..) due to failure to comply with
Article 15(1), unless (..) he has not acted negligently.‟
» Art. 15(1): open security norm – „state of the art‟
• Other stakeholders unmentioned
– Websites: cheap certificates / poor HTTPS implementation?
– Untimely patching by browsers, OS manufacturers?
– Software manufacturers?
29
![Page 30: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/30.jpg)
In focus: liability [2]
• Real consequences
– Liability may be helpful to incentivise CA‟s
• Security practises
• Proper logging, as they bear burden of proof
– But art. 9(1):
• „Any direct damage‟
– Single company liable for entire HTTPS system?
» DigiNotar liable for damages Google, Microsoft?
» Deadly blow to needed insurance market?
» Favourable to incumbents able to pay insurance fees
30
![Page 31: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/31.jpg)
The US Approach?
Multi-Stakeholder Standardization Process
31
![Page 32: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/32.jpg)
Sensible latest market developments
32
![Page 33: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/33.jpg)
Outline Presentation
• HTTPS
• DigiNotar
• Landmark breach
• Insightful, illegitimate mitigation
• HTTPS: Systemic vulnerabilities
• Sweeping EU Proposal: eSignatures Regulation
• Conclusions
33
![Page 34: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/34.jpg)
Conclusion [1]
Critical Reflection
• Regulation might help to influence incentives, but
– Disproportionate burden on CAs
• Anti-competitive
• May even destroy entire market
• Systemic vulnerabilities remain/reinforced
– HTTPS not error prone
– Next CA breach, again significant disruption
• Technical solution needed, regulation cannot force it
34
![Page 35: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/35.jpg)
Conclusion [2]
Actor-based Value Chain Approach
• Apprise full set of underlying values
– Conceptualise „Security‟
• Risk Assessment: Availability, Confidentiality, Intergrity
• Balance economic, public & fundamental rights interests
• Employ Actor-Based „Value‟ Chain analysis
– Identify Stakeholders and Interactions
– Identify Structural Vulnerabilities
– Consider (Regulatory) Intervention
• Do incentives lead to desired outcomes?
– Security economics
35
![Page 36: Can HTTPS Web Browsing Be Secured Through Regulation?€¦ · Can HTTPS Web Browsing Be Secured Through Regulation? Hong Kong University, Law Tech Talk, 26 February 2013 . Work in](https://reader035.fdocuments.in/reader035/viewer/2022081522/5f0ebd9d7e708231d440b5b8/html5/thumbnails/36.jpg)
36
Contact Info
36
Institute for Information Law (IViR)
University of Amsterdam
http://www.ivir.nl/
A.M. Arnbak, LL.M. – [email protected], LinkedIN, twitter@axelarnbak
Paper: http://ssrn.com/abstract=2031409
Update expected March 2013, joint work with Prof. Nico van Eijk, IViR, and Prof. Michel
van Eeten & Hadi Asghari, TU Delft