Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin...
Transcript of Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin...
Certificates in the wild
Slides from
• Dave Levin 414-spring2016
• Michelle Mazurek 414-fall2016
Certificates in the wildThe lock icon indicates that the browser was able to authenticate the other end, i.e., validate its certificate
Certificate chain
Subject (who owns thepublic key)
Issuer (who verified the identity and signed this certificate)
Common name: the URL of the subject
Serial number: Uniquely identifies this cert with respect to the issuer
(look for this in CRLs)
Not valid before/after: When tostart and stop believing this cert
(start & expiration dates)
The public key: And the issuer’ssignature of the public key
Signature algorithm: How theissuer will sign parts of the cert
Subject Alternate Names:Other URLs for which this cert should be considered valid.
(wellsfargo.com is not the sameas www.wellsfargo.com)
Can include wildcards, e.g.,
*.google.com
CRL & OCSP:Where to go to check if this
certificate has been revoked
Non-cryptographic checksums
Certificate typesWhy are these different?
This is an EV (extended validation) certificate; browsers show the
full name for these kinds of certs
Root CAs
Root CAs in iOS9
• iOS9 ships with >50 that start with A-C
• Full list at:https://support.apple.com/en-us/HT205205
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate
Root key storeEvery device has one
Must not contain
malicious certificates
CA compromise!• 2001: Verisign issued two code-signing certificates for
Microsoft Corporation!• To someone who didn’t actually work at MS!• No functional revocation paradigm!
• 2011: Signing keys compromised at Comodo and DigiNotar!• Bad certs for Google, Yahoo!, Tor, others!• Seem to have been used mostly in Iran!
• Some CAs are less picky than others!
Case study: Superfish (Feb 2015)!
• Lenovo laptops shipped with “Superfish” adware!
• Installs self-signed root cert into browsers!• MITM on every HTTPS site to inject ads!
• Worse: Same private key for every laptop!• Password = “komodia” (company!
• Lenovo“did not find any evidence to substantiate security concerns”
http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/!
http
://w
ww
.sai
ntel
daily
.com
/arc
hive
s/11
400!
Heartbleed and Revocation
Remember Heartbleed (2014)
• OpenSSL vulnerability
• Discovered 03/21 Public 04/07
• Potential compromise• 100ks hosts• 20M total certs• 1.5M certs for Alexa top 1M domains• 600k leaf certs• 165k domains
• Correct procedure: patch, revoke, reissue
Why study Heartbleed?
03/21 04/02 04/07
DiscoveredAkamaipatched Publicly announced
03/21 04/02 04/07
DiscoveredAkamaipatched Publicly announced
1 Patched 2 Revoked 3 Reissued
Every vulnerable website should have:
Heartbleed is a natural experiment: How quickly and thoroughly do administrators act?
Prevalence and patch rates
0
0.1
0.2
0.3
0.4
0.5
0.6
0 200000 400000 600000 800000 1e+06
Frac
tion
of D
omai
nsVu
lner
able
to H
eart
blee
d
Alexa Site Rank (bins of 1000)
Was ever vulnerableStill vulnerable
Patching rates are mostly positiveOnly ~7% had not patched within 3 weeks
Was ever vulnerableStill vulnerable after 3 weeks
How quickly were certs revoked?
0
200
400
600
800
1000
1200
03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26
Num
ber o
f Dom
ains
/Day
Date
Reaction ramps up quickly
Security takes the weekends off
Weekends
Certificate update rates
0.6 0.65
0.7 0.75
0.8 0.85
0.9 0.95
1
04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Not reissued
Not revoked
3 wks
Similar pattern to patches: Exponential drop-off, then levels out
After 3 weeks: 13% Revoked 27% Reissued
0
0.1
0.2
0.3
0.4
0.5
0.6
11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014
Frac
tion
of N
ew C
ertif
icat
esR
eiss
ued
with
the
Sam
e K
ey
Date of Birth
All reissuesHeartbleed-induced reissues
Reissue ⇒ New key?
Reissuing the same key is common practice
4.1% Heartbleed-induced
The ugly truth of revocations
13% Revoked 27% Reissued93% Patched
• Administrators trade off security for ease of maintenance/cost• Certificate authorities trade off security for profit
Security is supposed to be a fundamental design goal, but
0
0.2
0.4
0.6
0.8
1
0 1 2 3 4 5 6
CD
F
Years of Remaining Validity
Can we wait for expiration?
We may be dealing with Heartbleed for years
Vulnerable but not revoked
~40% of vulnerable certswill not expire for over 1 year
How well do browsers check certificates
Testing browser behavior
Revocationprotocols
• Browsers should support all major protocols• CRLs, OCSP, OCSP stapling
Availability of revocation info
• Browsers should reject certs they cannot check• E.g., because the OCSP server is down
Chain lengths
• Browsers should reject a cert if any on the chain fail• Leaf, intermediate(s), root
signs
Leaf
Root
Intermediate Intermediate…
Results across all browsers
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
Results across all browsers
Chrome
Generally, only checks for EV certs~3% of all certs
Allows if revocation info unavailable
Supports OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
Results across all browsers
Firefox
Never checks CRLsOnly checks intermediates for EV certs
Allows if revocation info unavailable
Supports OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
Results across all browsers
Safari
Checks CRLs and OCSP
Allows if revocation info unavailableExcept for first intermediate, for CRLs
Does not support OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
Results across all browsers
Internet Explorer
Checks CRLs and OCSP
Often rejects if revocation info unavailablePops up alert for leaf in IE 10+
Supports OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
Results across all browsers
Mobile Browsers
Uniformly never check
Android browsers request Staple
…and promptly ignore it
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.