Certificates in the wild

Slides from

• Dave Levin 414-spring2016

• Michelle Mazurek 414-fall2016

Certificates in the wildThe lock icon indicates that the browser was able to authenticate the other end, i.e., validate its certificate

Certificate chain

Subject (who owns thepublic key)

Issuer (who verified the identity and signed this certificate)

Common name: the URL of the subject

Serial number: Uniquely identifies this cert with respect to the issuer

(look for this in CRLs)

Not valid before/after: When tostart and stop believing this cert

(start & expiration dates)

The public key: And the issuer’ssignature of the public key

Signature algorithm: How theissuer will sign parts of the cert

Subject Alternate Names:Other URLs for which this cert should be considered valid.

(wellsfargo.com is not the sameas www.wellsfargo.com)

Can include wildcards, e.g.,

*.google.com

CRL & OCSP:Where to go to check if this

certificate has been revoked

Non-cryptographic checksums

Certificate typesWhy are these different?

This is an EV (extended validation) certificate; browsers show the

full name for these kinds of certs

Root CAs

Root CAs in iOS9

• iOS9 ships with >50 that start with A-C

• Full list at:https://support.apple.com/en-us/HT205205

Browser

Verifying certificates

Certificate“I’m because says so”

Certificate“I’m because says so”

“I’m because I say so!”Certificate

Browser

Verifying certificates

Certificate“I’m because says so”

Certificate“I’m because says so”

“I’m because I say so!”Certificate

Root key storeEvery device has one

Must not contain

malicious certificates

CA compromise!•  2001: Verisign issued two code-signing certificates for

Microsoft Corporation!•  To someone who didn’t actually work at MS!•  No functional revocation paradigm!

•  2011: Signing keys compromised at Comodo and DigiNotar!•  Bad certs for Google, Yahoo!, Tor, others!•  Seem to have been used mostly in Iran!

•  Some CAs are less picky than others!

Case study: Superfish (Feb 2015)!

•  Lenovo laptops shipped with “Superfish” adware!

•  Installs self-signed root cert into browsers!•  MITM on every HTTPS site to inject ads!

•  Worse: Same private key for every laptop!•  Password = “komodia” (company!

•  Lenovo“did not find any evidence to substantiate security concerns”

http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/!

http

://w

ww

.sai

ntel

daily

.com

/arc

hive

s/11

400!

Heartbleed and Revocation

Remember Heartbleed (2014)

• OpenSSL vulnerability

• Discovered 03/21 Public 04/07

• Potential compromise• 100ks hosts• 20M total certs• 1.5M certs for Alexa top 1M domains• 600k leaf certs• 165k domains

• Correct procedure: patch, revoke, reissue

Why study Heartbleed?

03/21 04/02 04/07

DiscoveredAkamaipatched Publicly announced

03/21 04/02 04/07

DiscoveredAkamaipatched Publicly announced

1 Patched 2 Revoked 3 Reissued

Every vulnerable website should have:

Heartbleed is a natural experiment: How quickly and thoroughly do administrators act?

Prevalence and patch rates

0

0.1

0.2

0.3

0.4

0.5

0.6

0 200000 400000 600000 800000 1e+06

Frac

tion

of D

omai

nsVu

lner

able

to H

eart

blee

d

Alexa Site Rank (bins of 1000)

Was ever vulnerableStill vulnerable

Patching rates are mostly positiveOnly ~7% had not patched within 3 weeks

Was ever vulnerableStill vulnerable after 3 weeks

How quickly were certs revoked?

0

200

400

600

800

1000

1200

03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26

Num

ber o

f Dom

ains

/Day

Date

Reaction ramps up quickly

Security takes the weekends off

Weekends

Certificate update rates

0.6 0.65

0.7 0.75

0.8 0.85

0.9 0.95

1

04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28

Frac

. of V

ulne

rabl

e C

erts

not R

evok

ed/R

eiss

ued

Date

Not reissued

Not revoked

3 wks

Similar pattern to patches: Exponential drop-off, then levels out

After 3 weeks: 13% Revoked 27% Reissued

0

0.1

0.2

0.3

0.4

0.5

0.6

11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014

Frac

tion

of N

ew C

ertif

icat

esR

eiss

ued

with

the

Sam

e K

ey

Date of Birth

All reissuesHeartbleed-induced reissues

Reissue ⇒ New key?

Reissuing the same key is common practice

4.1% Heartbleed-induced

The ugly truth of revocations

13% Revoked 27% Reissued93% Patched

• Administrators trade off security for ease of maintenance/cost• Certificate authorities trade off security for profit

Security is supposed to be a fundamental design goal, but

0

0.2

0.4

0.6

0.8

1

0 1 2 3 4 5 6

CD

F

Years of Remaining Validity

Can we wait for expiration?

We may be dealing with Heartbleed for years

Vulnerable but not revoked

~40% of vulnerable certswill not expire for over 1 year

How well do browsers check certificates

Testing browser behavior

Revocationprotocols

• Browsers should support all major protocols• CRLs, OCSP, OCSP stapling

Availability of revocation info

• Browsers should reject certs they cannot check• E.g., because the OCSP server is down

Chain lengths

• Browsers should reject a cert if any on the chain fail• Leaf, intermediate(s), root

signs

Leaf

Root

Intermediate Intermediate…

Results across all browsers

✔ Passes test ✗ Fails test

ev Passes for EV certsi Ignores OCSP Staple

a Pops up alert to userl/w Passes on Linux/Win.

Results across all browsers

Chrome

Generally, only checks for EV certs~3% of all certs

Allows if revocation info unavailable

Supports OCSP stapling

✔ Passes test ✗ Fails test

ev Passes for EV certsi Ignores OCSP Staple

a Pops up alert to userl/w Passes on Linux/Win.

Results across all browsers

Firefox

Never checks CRLsOnly checks intermediates for EV certs

Allows if revocation info unavailable

Supports OCSP stapling

✔ Passes test ✗ Fails test

ev Passes for EV certsi Ignores OCSP Staple

a Pops up alert to userl/w Passes on Linux/Win.

Results across all browsers

Safari

Checks CRLs and OCSP

Allows if revocation info unavailableExcept for first intermediate, for CRLs

Does not support OCSP stapling

✔ Passes test ✗ Fails test

ev Passes for EV certsi Ignores OCSP Staple

a Pops up alert to userl/w Passes on Linux/Win.

Results across all browsers

Internet Explorer

Checks CRLs and OCSP

Often rejects if revocation info unavailablePops up alert for leaf in IE 10+

Supports OCSP stapling

✔ Passes test ✗ Fails test

ev Passes for EV certsi Ignores OCSP Staple

a Pops up alert to userl/w Passes on Linux/Win.

Results across all browsers

Mobile Browsers

Uniformly never check

Android browsers request Staple

…and promptly ignore it

✔ Passes test ✗ Fails test

ev Passes for EV certsi Ignores OCSP Staple

a Pops up alert to userl/w Passes on Linux/Win.