SoK: SSL and HTTPS:Revisiting past challenges and evaluating certificate trust model enhancements
Presented by: Zhengyang Qu
Roadmap
Background Crypto Protocol Issues in HTTPS Trust Model Issues in HTTPS Security Enhancements to CA/B Model Discussion & On-going Research
Background
Objectives Confidentiality Server Authentication, Client Authentication
(Optional) Protocol Specification and Implementation
HTTPS: combination of HTTP with SSL/TLS Client-side (by OS or browser)
Firefox: Mozilla’s NSS, Chrome: underlying OS Windows, OS X, or NSS on Linux
Server-side Apache (OpenSSL), Windows Server (ISS), Solaris
(NSS)
Roadmap
Background Crypto Protocol Issues in HTTPS Trust Model Issues in HTTPS Security Enhancements to CA/B Model Discussion & On-going Research
Crypto Protocol Issues in HTTPS Weakness in Cryptographic Primitives
Weak Encryption & Signature Key Lengths Symmetric key encryption scheme with 40, 56,
or 64 bit keys is subject to a brute-force attack. Asymmetric encryption schemes like RSA are
subject to factoring attacks when used with a 512 bit modulus.
Weak Hash Functions Collision-resistance & Second Preimage
Resistance MD5, MD2
Crypto Protocol Issues in HTTPS Implementation Flaws & Related Attacks
Pseudorandom Generator (PRG) Seeding Remote Timing Attack
Oracle Attacks RSA Encoding Cipher Block Chaining (CBC) Initialization
Chosen Plaintext Attacks Compression CBC Padding
Crypto Protocol Issues in HTTPS Protocol-level Attacks
Ciphersuite Downgrade Attack Version Downgrade Attack Renegotiation Attack Cross-protocol Attack
Diffie-Hellmen or RSA Not state which key agreement algorithm is
used
Roadmap
Background Crypto Protocol Issues in HTTPS Trust Model Issues in HTTPS Security Enhancements to CA/B Model Discussion & On-going Research
Trust Model Issues in HTTPs
Certification Domain Validated (DV) & Extended
Validated (EV) Security Issues
Hostname Validation (CAs) E-mail validations: top-level domain
(admin@domain) WhoIS record
Hostname Validation (Clients) Parsing Attack (e.g. bank.com evil.com)
Mismatch between CA parsing and browser parsing
EV Downgrading
Trust Model Issues in HTTPs
Anchoring Trust Software Vendors Private Networks (e.g. corporate
environment) Security Issues
CA Compromise MITM attack (e.g. two compromised CAs
Comodo & DigiNotar) Compelled Certificates
Nation-states, government (e.g. connection to Facebook via ISPs in Syria)
Trust Model Issues in HTTPs
Transitivity of Trust Intermediate CA certificates Path Validation Algorithm
Constraints: (1) CA: TRUE (2) pathlen: n Lack of further chain discovery mechanism Intermediate CAs are invisible to client
before being encountered
Trust Model Issues in HTTPs
Maintenance of Trust Terminate the Validity of a certificate before
expiration Get Revocation Status: CRLs & OCSP
(updated on-demand) Responsive Revocation
Security Issues Blocking Revocation Ownership Transfer
Domain: fb.com
Trust Model Issues in HTTPs
Indication and Interpretation of Trust Browser Security Cues, Browser Security
Warnings, Mixed Content, Mobile Browsers, HTTP Form Submit
Security Issues Stripping SSL/TLS Spoofing Browser Chrome Conceding a Warning
Roadmap
Background Crypto Protocol Issues in HTTPS Trust Model Issues in HTTPS Security Enhancements to CA/B
Model Discussion & On-going Research
Security Enhancements to CA/B Model
Security Properties Offered by Primitives Detecting Certificate Substitution Detecting SSL/TLS Stripping PKI Improvements
Evaluation Criteria for Impact on HTTPS Security & Privacy Deployability Usability
Security Enhancements to CA/B Model
Evaluation of Proposed Primitives Certificate Pinning (Client History)
Detection of certificate substitution attacks Certificate Pinning (Server)
Better level of granularity Certificate Pinning (Browser Platform)
Avoid blind TOFU approach Certificate Pinning (DNS)
Who conduct the validation? DNSSEC, DANE
Multipath Probing Crowdsourcing
Objective information (time-based and space-based)
Subjective information (Omnibroker, Monkeysphere)
Convergence (Firefox), DoubleCheck, Certificate catalogue (Google)
Security Enhancements to CA/B Model
Channel-bound Credentials Modify the authentication value in cookies
Credential-bound Channels Key Continuity/Manifest
Server-side changes TACK, DANE, DVCert
Security Enhancements to CA/B Model
HTTPS-only Pinning Many primitives are never invoked unless an
HTTPS connection is requested Domain only supports HTTPS and
communicates that with client via a pin Request headers or TLS extensions Pre-established in browser DNS record of the site
Security Enhancements to CA/B Model
Security Enhancements to CA/B Model
Visual Cues for Secure POST (e.g. SSLight) Browser-stored CRL Certificate Status Stapling Short-lived Certificates List of Active Certificates, “Whitelist”
Roadmap
Background Crypto Protocol Issues in HTTPS Trust Model Issues in HTTPS Security Enhancements to CA/B Model Discussion & On-going Research
Discussion & On-going Research Protocol-level TLS-Analysis &
Modification Trust Model Infrastructure
Realistic reflection of trust in the digital world?
Human Element & the Security User Interface
Raising the Bar Combine the primitives into the
infrastructure Replace the functionality of CAs (e.g. DANE) Provide recognizable assurance to users
Thank you!
Discussion & On-going Research Important Orthogonal Problems
Gap between the user’s cognitive notion of what organization connected and the domain name in certificate
Condition for read/write access to cookies Compromised client-platform
Top Related