PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH...
Transcript of PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH...
![Page 1: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/1.jpg)
PROVING WHO YOU ARETLS & THE PKI
CMSC 414MAR 29 2018
![Page 2: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/2.jpg)
RECALL OUR PROBLEM WITH DIFFIE-HELLMAN
The two communicating parties thought, but did not confirm, that they were talking to one another.
Therefore, they were vulnerable to MITM attacks.
Certificates allow us to verify with whom we are communicating.
We will solve this by incorporating public key cryptography
![Page 3: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/3.jpg)
Back to authenticationHow can we know it was really who posted PK?
![Page 4: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/4.jpg)
Back to authenticationGenerate public/private key pair (PK,SK); publicize PK
How can we know it was really who posted PK?
![Page 5: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/5.jpg)
Back to authentication
Alice Bob
KAT
KAT KBT
KBT
E(KAT, msg || to:Bob) E(KBT, msg || from:Alice)
Generate public/private key pair (PK,SK); publicize PK
How can we know it was really who posted PK?
![Page 6: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/6.jpg)
Back to authentication
Alice Bob
KAT
KAT KBT
KBT
E(KAT, msg || to:Bob) E(KBT, msg || from:Alice)
Generate public/private key pair (PK,SK); publicize PK
How can we know it was really who posted PK?
Can we achieve authenticationwithout Trent in the middle of every message?
![Page 7: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/7.jpg)
Authentication with public keys
Alice
Bob
1. Trent’s public key is widely disseminated (pre-installed in browsers/operating systems)
(PKT, SKT)Trent
![Page 8: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/8.jpg)
Authentication with public keys
Alice
Bob
1. Trent’s public key is widely disseminated (pre-installed in browsers/operating systems)
(PKT, SKT)Trent
PKT
PKT
![Page 9: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/9.jpg)
Authentication with public keys
Alice
Bob
1. Trent’s public key is widely disseminated (pre-installed in browsers/operating systems)
2. Alice generates a public/private key pair and asks Trent to bind her
PKA to her identity
(PKT, SKT)
(PKA, SKA)
Trent
PKT
PKT
![Page 10: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/10.jpg)
Authentication with public keys
Alice
Bob
1. Trent’s public key is widely disseminated (pre-installed in browsers/operating systems)
2. Alice generates a public/private key pair and asks Trent to bind her
PKA to her identity
(PKT, SKT)
(PKA, SKA)
Trent vets Alice
Trent
PKT
PKT
![Page 11: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/11.jpg)
Authentication with public keys
Alice
Bob
1. Trent’s public key is widely disseminated (pre-installed in browsers/operating systems)
2. Alice generates a public/private key pair and asks Trent to bind her
PKA to her identity
(PKT, SKT)
(PKA, SKA)
Trent vets Alice
Trent
3. Trent signs a message (with SKT):
“The owner of the secret key corresponding to PKA is Alice”
PKT
PKT
![Page 12: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/12.jpg)
Authentication with public keys
Alice
Bob
1. Trent’s public key is widely disseminated (pre-installed in browsers/operating systems)
2. Alice generates a public/private key pair and asks Trent to bind her
PKA to her identity
(PKT, SKT)
(PKA, SKA)
Trent vets Alice
Trent
3. Trent signs a message (with SKT):
“The owner of the secret key corresponding to PKA is Alice”
This message + sig = Certificate
PKT
PKT
![Page 13: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/13.jpg)
Authentication with public keys
Alice
Bob
1. Trent’s public key is widely disseminated (pre-installed in browsers/operating systems)
2. Alice generates a public/private key pair and asks Trent to bind her
PKA to her identity
(PKT, SKT)
(PKA, SKA)
Trent vets Alice
Trent
3. Trent signs a message (with SKT):
“The owner of the secret key corresponding to PKA is Alice”
This message + sig = Certificate
Alice = PKA
PKT
PKT
![Page 14: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/14.jpg)
Authentication with public keys
Alice
Bob
4. Alice makes her certificate publicly available
(or Bob simply asks for it)(PKT, SKT)
(PKA, SKA)PKT
Trent
Alice = PKA
PKT
![Page 15: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/15.jpg)
Authentication with public keys
Alice
Bob
4. Alice makes her certificate publicly available
(or Bob simply asks for it)(PKT, SKT)
(PKA, SKA)PKT
Trent
Alice = PKA
PKT
Alice = PKA
![Page 16: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/16.jpg)
Authentication with public keys
Alice
Bob
4. Alice makes her certificate publicly available
(or Bob simply asks for it)
5. Bob verifies the certificate using PKT
(PKT, SKT)
(PKA, SKA)PKT
Trent
Alice = PKA
PKT
Alice = PKA
![Page 17: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/17.jpg)
Authentication with public keys
Alice
Bob
4. Alice makes her certificate publicly available
(or Bob simply asks for it)
5. Bob verifies the certificate using PKT
(PKT, SKT)
(PKA, SKA)PKT
Trent
Alice = PKA
PKT
Alice = PKA
If Bob trusts Trent, then Bob trusts that he properly
vetted Alice, and thus that her public key is PKA
![Page 18: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/18.jpg)
Authentication with public keys
Alice
Bob
4. Alice makes her certificate publicly available
(or Bob simply asks for it)
5. Bob verifies the certificate using PKT
(PKT, SKT)
(PKA, SKA)PKT
Trent
6. Bob (via hybrid encryption) sends a message to Alice using her public key PKA
Alice = PKA
PKT
Alice = PKA
If Bob trusts Trent, then Bob trusts that he properly
vetted Alice, and thus that her public key is PKA
![Page 19: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/19.jpg)
Authentication with public keys
Alice
Bob
(PKT, SKT)
(PKA, SKA)PKT
Trent
Alice = PKA
PKT
Alice = PKA
Trent vets Alice
Properties
![Page 20: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/20.jpg)
Authentication with public keys
Alice
Bob
(PKT, SKT)
(PKA, SKA)PKT
Trent
Alice = PKA
PKT
Alice = PKA
Trent vets AliceTrent need be online only
when giving out certificates, not any time users want to
communicate with one another
Properties
![Page 21: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/21.jpg)
Authentication with public keys
Alice
Bob
(PKT, SKT)
(PKA, SKA)PKT
Trent
Alice = PKA
PKT
Alice = PKA
Trent vets AliceTrent need be online only
when giving out certificates, not any time users want to
communicate with one another
Alice and Bob can communicate in an authenticated manner
without having to go through Trent
Properties
![Page 22: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/22.jpg)
Authentication with public keys
Alice
Bob
(PKT, SKT)
(PKA, SKA)PKT
Trent
Alice = PKA
PKT
Alice = PKA
1. Do not read messages2. Do not alter messages3. Do not forge messages
4. Do not go offline
Trust assumptions from our symmetric key protocol:
Trent vets Alice
![Page 23: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/23.jpg)
Authentication with public keys
Alice
Bob
(PKT, SKT)
(PKA, SKA)PKT
Trent
Alice = PKA
PKT
Alice = PKA
1. Do not read messages2. Do not alter messages3. Do not forge messages
4. Do not go offline
Trust assumptions from our symmetric key protocol:
Trent vets Alice
1. Correctly vet users
Trust assumptions in this public key protocol:
(Some more in practice…)
![Page 24: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/24.jpg)
TLS/SSL• TLS (Transport Layer Security)
• A suite of protocols to provide secure communication - Confidentiality by applying block & stream ciphers - Integrity with MACs - Authenticity with certificates
• Predecessor: SSL (secure sockets layer) - TLS was proposed as an upgrade - All versions of SSL are considered insecure (recently, the
POODLE—padding oracle—attack)
Host A Host BTCP/IP
TLS or SSL
TCP/IP: Host A and B can send packets to one another
TLS/SSL: operate “over” TCP/IP toensure security/authenticity
![Page 25: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/25.jpg)
TLS/SSL protocol (high level)Browser
(initiates connection)Server
(authenticates itself)
~~~~~~~Switch to negotiated cipher~~~~~~~Data transmission
Version, crypto options, nonceClient hello
Version, crypto options, nonce, Signed certificate containing the server’s public key PKs
Server hello + server cert (PKs)
Server key exchange (when using DH)
PreMaster secret encrypted with server’s PKsClient key exchangeCompute
K basedon nonces &PreMaster
Compute K based
on nonces &PreMaster
![Page 26: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/26.jpg)
(Credit: CloudFlare)
Only the server with the private key should be able to decrypt
![Page 27: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/27.jpg)
(Credit: CloudFlare)
Only the server with the private key should be able to sign
![Page 28: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/28.jpg)
AUTHENTICATED DIFFIE-HELLMAN
Both of these serve as a “challenge/response” protocol:
The client is “challenging” the server to prove that it knows the secret key corresponding to the public key in the certificate
The server is providing a “zero-knowledge proof”:
The server proves that it knows the secret key without having to reveal the secret key itself
The key property that makes this work: The only person who knows the secret key is the entity in the certificate
![Page 29: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/29.jpg)
Certificate revocation3. Trent signs a message (with SKT):
“The owner of the secret key corresponding to PKA is Alice”
This message + sig = Certificate
Put another way: “The only person who knows SKA is Alice”
What happens if Alice’s key gets compromised?(Stolen, accidentally revealed, …)
![Page 30: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/30.jpg)
Certificate revocation
Alice
(PKT, SKT)Trent
Please revoke my certificate (ID #3912…)
![Page 31: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/31.jpg)
Certificate revocation
Alice
(PKT, SKT)Trent
Please revoke my certificate (ID #3912…)
Trent signs a message (with SKT):
“Certificate ID #3912… is no longer valid, as of April 5, …”
![Page 32: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/32.jpg)
Certificate revocation
Alice
(PKT, SKT)Trent
Please revoke my certificate (ID #3912…)
Trent signs a message (with SKT):
“Certificate ID #3912… is no longer valid, as of April 5, …”
This message + sig = revocation
![Page 33: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/33.jpg)
Certificate revocation
Alice
(PKT, SKT)Trent
Please revoke my certificate (ID #3912…)
Trent signs a message (with SKT):
“Certificate ID #3912… is no longer valid, as of April 5, …”
This message + sig = revocation
BobBob obtains revocation information
![Page 34: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/34.jpg)
Obtaining revocation data
Trent
Certificate Revocation Lists (CRLs)
“Certificate ID #3912… is no longer valid, as of April 5, …”
A (often large) signed list of revocations
![Page 35: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/35.jpg)
Obtaining revocation data
Trent
Certificate Revocation Lists (CRLs)
“Certificate ID #3912… is no longer valid, as of April 5, …”
A (often large) signed list of revocations
Bob
Browsers and OSesoccasionally download CRLs
![Page 36: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/36.jpg)
Obtaining revocation data
Trent
Certificate Revocation Lists (CRLs)
“Certificate ID #3912… is no longer valid, as of April 5, …”
A (often large) signed list of revocations
Bob
Browsers and OSesoccasionally download CRLs
Disincentive: CRLs can be large, so it takes time & bandwidth
![Page 37: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/37.jpg)
Obtaining revocation data
Trent
Certificate Revocation Lists (CRLs)
“Certificate ID #3912… is no longer valid, as of April 5, …”
A (often large) signed list of revocations
Bob
Browsers and OSesoccasionally download CRLs
Disincentive: CRLs can be large, so it takes time & bandwidth
Result: delayed days/weeks/forever
![Page 38: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/38.jpg)
Obtaining revocation data
Trent
Online Certificate Status Protocol (OCSP)
Bob
Browsers and OSes perform OCSP checks on-demand (when verifying the certificate)
![Page 39: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/39.jpg)
Obtaining revocation data
Trent
Online Certificate Status Protocol (OCSP)
Bob
Browsers and OSes perform OCSP checks on-demand (when verifying the certificate)
Is certificate ID #3912… still valid?
![Page 40: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/40.jpg)
Obtaining revocation data
Trent
Online Certificate Status Protocol (OCSP)
Bob
Browsers and OSes perform OCSP checks on-demand (when verifying the certificate)
Is certificate ID #3912… still valid?
“Certificate ID #3912… is still longer valid, as of April 5, …” SKT
![Page 41: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/41.jpg)
Obtaining revocation data
Trent
Online Certificate Status Protocol (OCSP)
Bob
Browsers and OSes perform OCSP checks on-demand (when verifying the certificate)
Disincentive: Still delays the initial validation of the certificate (can increase
webpage load time)
Is certificate ID #3912… still valid?
“Certificate ID #3912… is still longer valid, as of April 5, …” SKT
![Page 42: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/42.jpg)
Obtaining revocation data
Trent
OCSP Stapling
“Certificate ID #3912… is still longer valid, as of April 5, …”
Websites issue OCSP requests, include responses in initial handshake
Is certificate ID #3912… still valid?Alice
Alice forwards this to Bob along withthe certificate when they first
start to communicate
SKT
![Page 43: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/43.jpg)
Certificate revocation responsibilities
Trent’s responsibility: Make revocations publicly available
Alice’s responsibility: Request revocations
Bob’s responsibility: Check for revocations
![Page 44: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/44.jpg)
Certificates in the wildThe lock icon indicates that the browser was able to authenticate the other end, i.e., validate its certificate
![Page 45: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/45.jpg)
Certificate chain
Subject (who owns thepublic key)
Issuer (who verified the identity and signed this certificate)
Common name: the URL of the subject
![Page 46: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/46.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
![Page 47: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/47.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
![Page 48: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/48.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate
![Page 49: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/49.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate
![Page 50: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/50.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate
Root key storeEvery device has one
Must not contain
malicious certificates
![Page 51: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/51.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate
![Page 52: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/52.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate✓
![Page 53: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/53.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate✓
![Page 54: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/54.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate✓
✓
![Page 55: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/55.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate✓
✓
![Page 56: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/56.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate✓
✓
✓
![Page 57: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/57.jpg)
Serial number: Uniquely identifies this cert with respect to the issuer
(look for this in CRLs)
Not valid before/after: When tostart and stop believing this cert
(start & expiration dates)
The public key: And the issuer’ssignature of the public key
Signature algorithm: How theissuer will sign parts of the cert
![Page 58: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/58.jpg)
Subject Alternate Names:Other URLs for which this cert should be considered valid.
(wellsfargo.com is not the sameas www.wellsfargo.com)
Can include wildcards, e.g.,
*.google.com
![Page 59: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/59.jpg)
Subject Alternate Names:The spirit is that it representsdifferent domain names of the
same entity (google.com, google.co.uk, youtube.com, …)
The letter of the rule doesn’t say that they need to be the same
company—or really haveanything in common
![Page 60: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/60.jpg)
Subject Alternate Names:The spirit is that it representsdifferent domain names of the
same entity (google.com, google.co.uk, youtube.com, …)
The letter of the rule doesn’t say that they need to be the same
company—or really haveanything in common
![Page 61: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/61.jpg)
Subject Alternate Names:Other URLs for which this cert should be considered valid.
(wellsfargo.com is not the sameas www.wellsfargo.com)
Can include wildcards, e.g.,
*.google.com
CRL & OCSP:Where to go to check if this
certificate has been revoked
Non-cryptographic checksums
![Page 62: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/62.jpg)
Certificate typesCertificates can be classified in two broad ways
What the certificate can be used for
The type of vetting process used
Signing (root and intermediate certs)
DV (Domain validation) Prove administrative access to the domain, e.g., by uploading a fileOV (Organization validation) Prove ownership of the organization that owns the domain
Encrypting (leaf certs)
EV (Extended validation) More extensive validation ($$)
![Page 63: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/63.jpg)
Certificate typesWhy are these different?
![Page 64: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/64.jpg)
Certificate typesWhy are these different?
This is an EV (extended validation) certificate; browsers show the
full name for these kinds of certs
![Page 65: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/65.jpg)
Proper reaction to Heartbleed
1. Patch the software
2. “Reissue” a new key (get a new one and load it onto your servers)
3. Revoke the old key
![Page 66: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/66.jpg)
Proper reaction to Heartbleed
1. Patch the software
2. “Reissue” a new key (get a new one and load it onto your servers)
3. Revoke the old key
If we reissued and then patched, then our new key would be compromised, too.
Order matters!
If we revoked first, we’d be offline.
![Page 67: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/67.jpg)
Heartbleed
OpenSSL
![Page 68: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/68.jpg)
Heartbleed
OpenSSL“hi” 2
![Page 69: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/69.jpg)
Heartbleed
OpenSSL“hi” 2
“hi”
![Page 70: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/70.jpg)
Heartbleed
OpenSSL
![Page 71: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/71.jpg)
Heartbleed
OpenSSL“hi” 22
![Page 72: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/72.jpg)
Heartbleed
OpenSSL“hi” 22
“hi”+20B from memory
< 216
![Page 73: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/73.jpg)
Heartbleed
OpenSSL“hi” 22
“hi”+20B from memory
< 216
Potentially reveals user data and private keys
Heartbleed exploits were undetectable
![Page 74: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/74.jpg)
Why study Heartbleed?
03/21 04/02 04/07
DiscoveredAkamaipatched Publicly announced
![Page 75: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/75.jpg)
Why study Heartbleed?
03/21 04/02 04/07
DiscoveredAkamaipatched Publicly announced
03/21 04/02 04/07
DiscoveredAkamaipatched Publicly announced
1 Patched 2 Revoked 3 Reissued
Every vulnerable website should have:
![Page 76: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/76.jpg)
Why study Heartbleed?
03/21 04/02 04/07
DiscoveredAkamaipatched Publicly announced
03/21 04/02 04/07
DiscoveredAkamaipatched Publicly announced
1 Patched 2 Revoked 3 Reissued
Every vulnerable website should have:
Heartbleed is a natural experiment: How quickly and thoroughly do administrators act?
![Page 77: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/77.jpg)
Dataset
Rapid7data
22M certs(~1/wk for 6mos)
![Page 78: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/78.jpg)
Dataset
Rapid7data
22M certs(~1/wk for 6mos)
AlexaTop-1M
2.8M certs
CAs
9k certs
filter
![Page 79: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/79.jpg)
validate Leaf Set
628k certs165k domains
Dataset
Rapid7data
22M certs(~1/wk for 6mos)
AlexaTop-1M
2.8M certs
CAs
9k certs
filter
![Page 80: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/80.jpg)
validate Leaf Set
628k certs165k domains
Dataset
Rapid7data
22M certs(~1/wk for 6mos)
AlexaTop-1M
2.8M certs
CAs
9k certs
filter
• Download CRLs• Detect vulnerability• Identify Heartbleed-induced
reissues & revocations
![Page 81: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/81.jpg)
validate Leaf Set
628k certs165k domains
Dataset
Rapid7data
22M certs(~1/wk for 6mos)
AlexaTop-1M
2.8M certs
CAs
9k certs
filter
• Download CRLs• Detect vulnerability• Identify Heartbleed-induced
reissues & revocations
![Page 82: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/82.jpg)
Prevalence and patch rates
0
0.1
0.2
0.3
0.4
0.5
0.6
0 200000 400000 600000 800000 1e+06
Frac
tion
of D
omai
nsVu
lner
able
to H
eart
blee
d
Alexa Site Rank (bins of 1000)
Was ever vulnerableStill vulnerable
Was ever vulnerableStill vulnerable after 3 weeks
![Page 83: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/83.jpg)
Prevalence and patch rates
0
0.1
0.2
0.3
0.4
0.5
0.6
0 200000 400000 600000 800000 1e+06
Frac
tion
of D
omai
nsVu
lner
able
to H
eart
blee
d
Alexa Site Rank (bins of 1000)
Was ever vulnerableStill vulnerable
Was ever vulnerableStill vulnerable after 3 weeks
![Page 84: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/84.jpg)
Prevalence and patch rates
0
0.1
0.2
0.3
0.4
0.5
0.6
0 200000 400000 600000 800000 1e+06
Frac
tion
of D
omai
nsVu
lner
able
to H
eart
blee
d
Alexa Site Rank (bins of 1000)
Was ever vulnerableStill vulnerable
Patching rates are mostly positiveOnly ~7% had not patched within 3 weeks
Was ever vulnerableStill vulnerable after 3 weeks
![Page 85: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/85.jpg)
Certificate update rates
0.6 0.65
0.7 0.75
0.8 0.85
0.9 0.95
1
04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Not reissued
Not revoked
![Page 86: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/86.jpg)
Certificate update rates
0.6 0.65
0.7 0.75
0.8 0.85
0.9 0.95
1
04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Not reissued
Not revoked
Ideal
![Page 87: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/87.jpg)
Certificate update rates
0.6 0.65
0.7 0.75
0.8 0.85
0.9 0.95
1
04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Not reissued
Not revoked
Ideal
![Page 88: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/88.jpg)
Certificate update rates
0.6 0.65
0.7 0.75
0.8 0.85
0.9 0.95
1
04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Not reissued
Not revoked
3 wksIdeal
![Page 89: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/89.jpg)
Certificate update rates
0.6 0.65
0.7 0.75
0.8 0.85
0.9 0.95
1
04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Not reissued
Not revoked
3 wksIdeal
After 3 weeks: 13% Revoked
Similar pattern to patches: Exponential drop-off, then levels out
![Page 90: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/90.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update rates
![Page 91: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/91.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update ratesIdeal
![Page 92: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/92.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update ratesIdeal
Not revoked
![Page 93: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/93.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update ratesIdeal
Similar pattern to patches: Exponential drop-off, then levels out
Not revoked
![Page 94: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/94.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update ratesIdeal
After 3 weeks: 13% Revoked
Similar pattern to patches: Exponential drop-off, then levels out
Not revoked
![Page 95: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/95.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update rates
After 3 weeks: 13% Revoked
Similar pattern to patches: Exponential drop-off, then levels out
Not revoked
![Page 96: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/96.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update rates
After 3 weeks: 13% Revoked
Similar pattern to patches: Exponential drop-off, then levels out
Not revoked
![Page 97: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/97.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update rates
![Page 98: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/98.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update ratesIdeal
![Page 99: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/99.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update ratesIdeal
Not reissued
Not revoked
![Page 100: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/100.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update ratesIdeal
Similar pattern to patches: Exponential drop-off, then levels out
Not reissued
Not revoked
![Page 101: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/101.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update ratesIdeal
After 3 weeks: 13% Revoked 27% Reissued
Similar pattern to patches: Exponential drop-off, then levels out
Not reissued
Not revoked
![Page 102: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/102.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update rates
Optimistic
After 3 weeks: 13% Revoked 27% Reissued
Similar pattern to patches: Exponential drop-off, then levels out
Not reissued
Not revoked
![Page 103: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/103.jpg)
How quickly were certs revoked?
0
200
400
600
800
1000
1200
03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26
Num
ber o
f Dom
ains
/Day
Date
![Page 104: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/104.jpg)
How quickly were certs revoked?
0
200
400
600
800
1000
1200
03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26
Num
ber o
f Dom
ains
/Day
Date
Reaction ramps up quickly
![Page 105: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/105.jpg)
How quickly were certs revoked?
0
200
400
600
800
1000
1200
03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26
Num
ber o
f Dom
ains
/Day
Date
Reaction ramps up quickly
![Page 106: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/106.jpg)
How quickly were certs revoked?
0
200
400
600
800
1000
1200
03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26
Num
ber o
f Dom
ains
/Day
Date
Reaction ramps up quickly
Security takes the weekends off
Weekends
![Page 107: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/107.jpg)
Certificate update rates
0.6 0.65
0.7 0.75
0.8 0.85
0.9 0.95
1
04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Not reissued
Not revoked
3 wks
![Page 108: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/108.jpg)
Certificate update rates
0.6 0.65
0.7 0.75
0.8 0.85
0.9 0.95
1
04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Not reissued
Not revoked
3 wks
![Page 109: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/109.jpg)
Certificate update rates
0.6 0.65
0.7 0.75
0.8 0.85
0.9 0.95
1
04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Not reissued
Not revoked
3 wks
Similar pattern to patches: Exponential drop-off, then levels out
After 3 weeks: 13% Revoked 27% Reissued
![Page 110: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/110.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update rates
Not reissued
Not revoked
Ideal
![Page 111: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/111.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update rates
Not reissued
Not revoked
Ideal
![Page 112: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/112.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update rates
After 3 weeks: 13% Revoked 27% Reissued
Similar pattern to patches: Exponential drop-off, then levels out
Not reissued
Not revoked
Ideal
![Page 113: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/113.jpg)
0.65 0.7
0.75 0.8
0.85 0.9
0.95 1
04/07 04/11 04/15 04/19 04/23 04/27
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Certificate update rates
Optimistic
After 3 weeks: 13% Revoked 27% Reissued
Similar pattern to patches: Exponential drop-off, then levels out
Not reissued
Not revoked
![Page 114: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/114.jpg)
0
0.1
0.2
0.3
0.4
0.5
0.6
11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014
Frac
tion
of N
ew C
ertif
icat
esR
eiss
ued
with
the
Sam
e K
ey
Date of Birth
All reissuesHeartbleed-induced reissues
Reissue ⇒ New key?
![Page 115: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/115.jpg)
0
0.1
0.2
0.3
0.4
0.5
0.6
11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014
Frac
tion
of N
ew C
ertif
icat
esR
eiss
ued
with
the
Sam
e K
ey
Date of Birth
All reissuesHeartbleed-induced reissues
Reissue ⇒ New key?
![Page 116: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/116.jpg)
0
0.1
0.2
0.3
0.4
0.5
0.6
11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014
Frac
tion
of N
ew C
ertif
icat
esR
eiss
ued
with
the
Sam
e K
ey
Date of Birth
All reissuesHeartbleed-induced reissues
Reissue ⇒ New key?
Reissuing the same key is common practice
4.1% Heartbleed-induced
![Page 117: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/117.jpg)
The ugly truth of revocations
13% Revoked 27% Reissued93% Patched
• Administrators trade off security for ease of maintenance/cost• Certificate authorities trade off security for profit
Security is supposed to be a fundamental design goal, but
![Page 118: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/118.jpg)
0
0.2
0.4
0.6
0.8
1
0 1 2 3 4 5 6
CD
F
Years of Remaining Validity
Can we wait for expiration?
![Page 119: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/119.jpg)
0
0.2
0.4
0.6
0.8
1
0 1 2 3 4 5 6
CD
F
Years of Remaining Validity
Can we wait for expiration?
Vulnerable but not revoked
![Page 120: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/120.jpg)
0
0.2
0.4
0.6
0.8
1
0 1 2 3 4 5 6
CD
F
Years of Remaining Validity
Can we wait for expiration?
Vulnerable but not revoked
~40% of vulnerable certswill not expire for over 1 year
![Page 121: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/121.jpg)
0
0.2
0.4
0.6
0.8
1
0 1 2 3 4 5 6
CD
F
Years of Remaining Validity
Can we wait for expiration?
We may be dealing with Heartbleed for years
Vulnerable but not revoked
~40% of vulnerable certswill not expire for over 1 year
![Page 122: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/122.jpg)
Testing browser behavior
Revocationprotocols
• Browsers should support all major protocols• CRLs, OCSP, OCSP stapling
Availability of revocation info
• Browsers should reject certs they cannot check• E.g., because the OCSP server is down
Chain lengths
• Browsers should reject a cert if any on the chain fail• Leaf, intermediate(s), root
![Page 123: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/123.jpg)
Testing browser behavior
Revocationprotocols
• Browsers should support all major protocols• CRLs, OCSP, OCSP stapling
Availability of revocation info
• Browsers should reject certs they cannot check• E.g., because the OCSP server is down
Chain lengths
• Browsers should reject a cert if any on the chain fail• Leaf, intermediate(s), root
Leaf
Root
Intermediate Intermediate…
![Page 124: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/124.jpg)
Testing browser behavior
Revocationprotocols
• Browsers should support all major protocols• CRLs, OCSP, OCSP stapling
Availability of revocation info
• Browsers should reject certs they cannot check• E.g., because the OCSP server is down
Chain lengths
• Browsers should reject a cert if any on the chain fail• Leaf, intermediate(s), root
signs
Leaf
Root
Intermediate Intermediate…
![Page 125: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/125.jpg)
Testing browser behavior
Revocationprotocols
• Browsers should support all major protocols• CRLs, OCSP, OCSP stapling
Availability of revocation info
• Browsers should reject certs they cannot check• E.g., because the OCSP server is down
Chain lengths
• Browsers should reject a cert if any on the chain fail• Leaf, intermediate(s), root
signs
Leaf
Root
Intermediate Intermediate…
![Page 126: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/126.jpg)
Testing browser behavior
Revocationprotocols
• Browsers should support all major protocols• CRLs, OCSP, OCSP stapling
Availability of revocation info
• Browsers should reject certs they cannot check• E.g., because the OCSP server is down
Chain lengths
• Browsers should reject a cert if any on the chain fail• Leaf, intermediate(s), root
signs
Leaf
Root
Intermediate Intermediate…
![Page 127: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/127.jpg)
Results across all browsers
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 128: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/128.jpg)
Results across all browsers
Chrome
Generally, only checks for EV certs~3% of all certs
Allows if revocation info unavailable
Supports OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 129: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/129.jpg)
Results across all browsers
Firefox
Never checks CRLsOnly checks intermediates for EV certs
Allows if revocation info unavailable
Supports OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 130: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/130.jpg)
Results across all browsers
Safari
Checks CRLs and OCSP
Allows if revocation info unavailableExcept for first intermediate, for CRLs
Does not support OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 131: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/131.jpg)
Results across all browsers
Internet Explorer
Checks CRLs and OCSP
Often rejects if revocation info unavailablePops up alert for leaf in IE 10+
Supports OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 132: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/132.jpg)
Results across all browsers
Mobile Browsers
Uniformly never check
Android browsers request Staple
…and promptly ignore it
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 133: PROVING WHO YOU ARE TLS & THE PKI · TLS & THE PKI CMSC 414 MAR 29 2018. RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they](https://reader036.fdocuments.us/reader036/viewer/2022071119/601908668580871d043b43d5/html5/thumbnails/133.jpg)
PKI CONCLUSION
The PKI’s job is to bind human-understandable identities (domain names) to cryptographic keys (public keys)
The central mechanism for this is certificates: digital signatures from trusted entities that tie domain names and public keys together
TLS along with Diffie-Hellman leverages public key crypto to arrive at ephemeral session keys (symmetric keys)
There is significant mismanagement in today’s PKI: • Websites don’t revoke or get new certs (“reissue”) when they should • Browsers don’t check for revocations when they should • Websites share their private keys with their hosting providers
The PKI is how we know with whom we are communicating online
Improving the web’s PKI is an active area of research (securepki.org)