The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes...
Transcript of The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes...
![Page 1: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/1.jpg)
Concordia UniversityJeremy Clark
SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. IEEE Symposium on Security and Privacy
2013
MirrorCity
The CA DebacleEroding Trust &
Jeremy Clark
1
ShainblumPhoto.com
![Page 2: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/2.jpg)
2
Certificates for HTTPS
HTTPS (HTTP over SSL/TLS) design:
tra!c flows are unmodified and confidential to everyone except the domain owner
server is authenticated by a CA-issued & browser accepted certificate
![Page 3: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/3.jpg)
3
Certificates for HTTPS
The essential problem:
CA-issued is no longer a high enough standard
increase in CAs, increase in (known) breaches, decrease in baseline validation, lack of revocation
+ TLS protocol issues
![Page 4: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/4.jpg)
4
Agenda
Me: Primer on issues (~15 min)You: Proposed Solutions (open for pitches)Me: Sweep up of Solutions not Covered (~10 min)You: General Discussion
Please interrupt and inject comments at any point
![Page 5: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/5.jpg)
5
Prevent Fraudulent Certs:Browser PreloadsCAgeCertLockCertification PatrolConvergenceDANEDoublecheckHPKPMonkeySpherePerspectivesSovereign KeysTACK
Detect Fraudulent Certs:CAACertificate TransparencyTKI
Protect Login:Channel ID (nee Origin Bound Certs)DVCert
Secure Introduction:S-LinksYURLS
Prevent HTTP Downgrade:Browser PreloadsHSTSSSLight
Improve Revocation:Browser CRLsOCSP StaplingShort-lived Certificates
![Page 6: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/6.jpg)
6
Agenda
Me: Primer on issues (~10 min)You: Proposed Solutions (open for pitches)Me: Sweep up of Solutions not Covered (~10 min)You: General Discussion
Please interrupt and inject comments at any point
![Page 7: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/7.jpg)
Cryptographic & Protocol Issues
7
![Page 8: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/8.jpg)
Cryptographic & Protocol Issues
Aging Primitives:MD2, MD5, RC4, weak keys (<112 bits equiv. sec.)
Implementation Flaws:Bad randomness: Netscape, Debian, embeddedTiming Attacks: RSA encryption, ECDSA
Protocol Flaws:Renegotiation, truncation, downgrades
8
![Page 9: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/9.jpg)
Cryptographic & Protocol Issues
An active adversary can use the server as a decryption oracle (adaptive CCA attacks):
1) RSA PKCS#1 v1.5 key transport: distinguish bad encoding from failed decryption
2) CBC mode data transport: distinguish bad padding from MAC failureMAC -> Pad -> Encrypt
9
![Page 10: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/10.jpg)
Cryptographic & Protocol Issues
Malicious client-side code can use the client as an encryption oracle (adaptive CPA attacks):
1) CBC mode data transport: Initialization vectors are predictable
2) Block or stream cipher data transport: Compression is applied prior to encryptionLength leaks semantic information
10
![Page 11: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/11.jpg)
Cryptographic & Protocol Issues
Version Downgrade Attacks:
TLS 1.0: RC4 (insecure), CBC (insecure)
TLS 1.2 [0.02%]: RC4 (insecure), CBC (secure?), GCM (secure?)
11
![Page 12: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/12.jpg)
Cryptographic & Protocol Issues
Version Downgrade Attacks:
TLS 1.0: RC4 (insecure), CBC (insecure)
TLS 1.2 [0.02%]: RC4 (insecure), CBC (secure?), GCM (secure?)
12
How to encourage upgrades?
![Page 13: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/13.jpg)
13
Domain.caClientSigCA(Domain.ca||Key)
![Page 14: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/14.jpg)
14
Domain.caClient
CA
Cert
I’mdomain.ca
![Page 15: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/15.jpg)
15
Certificate Authorities
Pre-loaded into browser and/or OS
~150 root certificates from ~50 organizations
Roots certificates can authorize intermediate CAs
Hundreds of organizations have a CA cert
![Page 16: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/16.jpg)
16
Certificate Authorities
Any CA can issue an acceptable certificate for any site
![Page 17: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/17.jpg)
17
Certificate Authorities
Any CA can issue an acceptable certificate for any site
Should we have name constraints?
Reasonable to trust 1M sites automagically?
![Page 18: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/18.jpg)
18
Domain.caClient
CA
Cert
I’mdomain.ca
![Page 19: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/19.jpg)
19
Domain.caClient
CA
Cert
I’mdomain.ca
![Page 20: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/20.jpg)
20
Domain.ca
CA
Cert
I’mdomain.ca
Client
Prove it
![Page 21: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/21.jpg)
21
Domain.ca
CA
mailserver
domain.ca | A | 192.0.5.8
Registrar
![Page 22: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/22.jpg)
22
Domain.caClient
CA
Cert
Certificate is a site cert(TURKTRUST)& Browser checks this(IE and iOS)
![Page 23: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/23.jpg)
23
Domain.caClient
CA
Cert
CA process is not circumvented (DigiNotar & Comodo) (OV: Verisign)
![Page 24: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/24.jpg)
24
Domain.caClient
CA
Cert
CA process is not circumvented (Compelled)
![Page 25: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/25.jpg)
25
You Find a Bad Site Cert, Now What?
CA revokes the certificate
Revocation checking happens when receiving a certificate
Revocation checking is unreliable and fails open
![Page 26: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/26.jpg)
26
Who Needs a Cert Anyways?
SSL Stripping: active adversary can strip out references to HTTPS sites and replace them with HTTP (POST-to-HTTPS)
Concede a Warning: Syria Telecom MITM on Facebook
Users tend to ignore security indicators, not understand warnings, and click through warnings they do understand
![Page 27: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/27.jpg)
27
What to Do?
![Page 28: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/28.jpg)
28
Prevent Fraudulent Certs:Browser PreloadsCAgeCertLockCertification PatrolConvergenceDANEDoublecheckHPKPMonkeySpherePerspectivesS-LinksSovereign KeysTACKTKI YURLS
Detect Fraudulent Certs:CAACertificate Transparency
Protect Login:Channel ID (nee Origin Bound Certs)DVCert
Prevent HTTP Downgrade:Browser PreloadsHSTSSSLight
Improve Revocation:Browser CRLsOCSP StaplingShort-lived Certificates
![Page 29: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/29.jpg)
Pinning — Server Initiated
Send (via HTTP header or TLS handshake) the attributes about your certificate chain you want pinned.
Trust-on-first-useServer-side changesSelf denial-of-serviceNo new authority
29
TACKM. Marlinspike & T. Perrin
Trust assertions for certificate keys (TACK). TLS Working Group. Internet Draft. Intended status: Standards Track. January 7, 2013
2013
HPKPC. Evans, C. Palmer, & R. Sleevi
Public key pinning extension for HTTP. Web Security Working Group. Internet-Draft. Intended Status: Standards Track. December 7, 2012
2012
![Page 30: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/30.jpg)
Pinning — Browser Preloads
Certificate attributes are pinned in a preloaded list, maintained by the browser vendor.
Resolves trust-on-first-useMinimal server participationNot scalable to millions of servers Increases trust in your browser
30
![Page 31: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/31.jpg)
Pinning — DNS
Certificate attributes are pinned in a DNS record for your domain and distributed with DNSSEC
Setting record scales to the internetDistributing records: DNSSEC scalability debatableRecords could be stapled into TLS connectionIncreased trust in DNS systemCould be used with self-issued certificates
31
DANE — TLSAThe DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. Standards Track. 2012.
RFC 6698
P. Ho"man & J. Schlyter
![Page 32: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/32.jpg)
Notary — Multipath Probing
Third party notaries relay information about the certificate they see for a domain.
No server-side changesPerformance penalty and needs high reliabilityA domain may have multiple certs (load-balancing)Privacy issuesTrust agility: a pro or a con?
32
ConvergenceMoxy Marlinspike
Convergence, Beta. SSL And The Future Of Authenticity. BlackHat USA 2011. convergence.io
2011
PerspectivesD. Wendlandt, D. G. Andersen, and A. Perrig
Perspectives: Improving SSH-style host authentication with multi-path probing. USENIX Annual Tech
2008
![Page 33: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/33.jpg)
Notary — Log
Certificate authorities publish server certificates in an append-only log. Sites monitor the log for fraudulent certificates and report them for revocation
Detection instead of preventionIncreases visibilityNotary similarities: performance, tracing, etc.Di"erences: one authority, sites can staple logsFull CA opt-inRelies on revocation
33
Certificate TransparencyB. Laurie, A. Langley, & E. Kasper
Certificate Transparency. Network Working Group. Internet-Draft. Intended Status: Experimental. April 18, 2013
2013
![Page 34: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/34.jpg)
34
Carleton UniversityJeremy Clark & Paul C. van Oorschot
SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. IEEE Symposium on Security and Privacy
2013
![Page 35: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/35.jpg)
SecurityNo New Trusted EntityNo New Auth’n Tokens
DeployabilityNo Server-Side Changes
Deployable without DNSSEC
No Extra Communications Internet Scalable
35
PrivacyNo New TraceabilityReduces Traceability
UsabilityNo False-Rejects
Status Signalled CompletelyNo New User Decisions
![Page 36: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/36.jpg)
36
No Server Side Changes
Server Side Changes
No ExtraCommunication
ExtraCommunication
Preloads
OCSP StaplingShort-Lived Certs
DANE (Stapled)HSTS/HPKP/TACK
CT (Lookup)ConvergenceOCSP
CT (Stapled)Certificate PatrolS-Links
DANE (Lookup)
![Page 37: The CA Debacle - USENIX CRLs OCSP Stapling Short-lived Certificates. 6 ... Certificate attributes are pinned in a DNS record for ... a pro or a con? 32 Convergence](https://reader031.fdocuments.us/reader031/viewer/2022022518/5b0b337b7f8b9a0b0f8cfa06/html5/thumbnails/37.jpg)
37
Conclusions
The breadth of past and on-going issues with TLS is noteworthy
Sophistication of attacking the TLS protocol seems to have shifted interest to its trust infrastructure, which has on-going issues
No clear winner among enhancements: trade-o"s