Kevin Borgolte Tobias Fiebig Shuang Hao Christopher Kruegel Giovanni Vigna

Applied Networking Research Workshop (ANRW 2018) / IETF 102

CLOUD STRIFEMitigating the Security Risks of Domain-Validated Certificates

kevinbo@cs.ucsb.edu t.fiebig@tudelft.nl shao@utdallas.edu chris@cs.ucsb.edu vigna@cs.ucsb.edu

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) !3

STALE DNS RECORDS AND IP ADDRESS RE-USE

cloudstrife.seclab.cs.ucsb.edu

34.215.255.68

• How to migrate DNS gracefully? • When to release 34.215.255.68? TTL? Longer? • What about failure and automatic scaling?

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) !4

DOMAIN-VALIDATED CERTIFICATES

• Standard TLS certificate

• Trusted by major browsers and operating systems

• Credited for the rise in HTTPS adoption

• Cheap or free

• No identity verification

via https://nettrack.info/ssl_certificate_issuers.html

Let’s Encrypt

Comodo

GeoTrust

Top SSL Issuers

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018)

ClientClient ACMECA

1 Request certificate

Client ACMECA

1 Request certificate

2 Respond with challengeClient ACME

CA

1 Request certificate

2 Respond with challenge3 Host challenge

at http://example.com

example.comWebserver

Client ACMECA

1 Request certificate

2 Respond with challenge

4 Verify challenge3 Host challenge

at http://example.com

example.comWebserver

!5

HTTP-BASED DOMAIN-VALIDATION

If you control the host behind the domain, then you can prove domain ownership successfully.

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018)

• Trusted TLS certificates (MitM) • Malicious and remote code loading • Subdomain attacks • Email (no MX = A record) • Spam & phishing (residual trust)

!6

IMPACT?

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018)

ap-northeast-1

ap-northeast-2

ap-south-1

ap-southeast-1

ap-southeast-2

ca-central-1

eu-central-1

eu-west-1

eu-west-2

sa-east-1

us-east-1

us-east-2

us-west-1

us-west-2

Availability Zone

10sec

1min

1hour

1day

1week2weeks

Tim

eB

etw

een

Reo

ccur

ence

(Sec

onds

) log

!7

SCALE?

• Looking at cloud IP address (AWS, Azure)

• 1.6 million unique IPs, 14 million allocations

• 130 million unique domains

• How many active domains point to free IPs?

• >700,000 domains can be taken over within minutes by attacker

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) !8

CLOUD STRIFE

• Assume takeovers can and will happen in the future

• Major changes to DNS or deployment impractical

• Aim to prevent attacks higher up

• Focus on TLS services

• Leverage existing standards when possible

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018)

• HTTP, simple idea: • HTTPS with trusted certificates

• HTTP Strict Transport Security

• HTTP Public Key Pinning

• HTTP, simple idea: • HTTPS with trusted certificates domain-validated certificates

• HTTP Strict Transport Security

• HTTP Public Key Pinning deprecated since Chrome 67

!9

MITIGATING TAKEOVER ATTACKS

Takeover attacks now require pinned certificate.

Reduces takeover attacks to denial of service attacks.

Doesn’t work for SMTP etc. though

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018)

• HTTP, better idea: • HTTPS with trusted certificates

• Prevent certificate issuance for domains (likely) taken over

• HTTP Strict Transport Security

!10

MITIGATING TAKEOVER ATTACKS

How do you prevent certificate issuance?

No trusted certificate = also works for SMTP etc.

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) !11

CERTIFICATE TRANSPARENCY LOGS

• Public append-only log for issued certificates

• Monitor for suspicious certificates

• Real-time(ish) audit trail

In itself:

• Reactive: attacker’s window of opportunity remains

• Must be actively monitored (by domain owners)

Can be used for historic lookups

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018)

ClientClient ACMECA

1 Request certificate

Client ACMECA

1 Request certificate

CTLogs

2 Check for existingcertificates

Client ACMECA

1 Request certificate

3 Respond with challengeCT

Logs

2 Check for existingcertificates

Client ACMECA

1 Request certificate

3 Respond with challengeCT

Logs4 Host challenge

at https://example.com

2 Check for existingcertificates

example.comWebserver

Client ACMECA

1 Request certificate

3 Respond with challengeCT

Logs

5Verify challenge and

existing certificate4 Host challenge

at https://example.com

2 Check for existingcertificates

example.comWebserver

!12

PREVENTIVE HTTP-BASED DOMAIN-VALIDATION

If an old certificate was found, require it to be current HTTPS certificate.

1

2

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (ANRW 2018) !13

CLOUD STRIFE

• Prevents TLS certificates to be issued for takeovers

• No certificate = takeover attacks less useful (= DoS)

• Drawbacks for users only for disaster recovery • Re-bootstrap chain of trust

• ACME validation challenge draft next?

kevinbo@cs.ucsb.edu https://kevin.borgolte.me

twitter: @caovc

Thank you!

Questions?

seclabTHE COMPUTER SECURITY GROUP AT UC SANTA BARBARA