The Inconvenient Truth about Web Certificates
description
Transcript of The Inconvenient Truth about Web Certificates
The Inconvenient Truth about Web Certificates
Nevena VratonjicJulien Freudiger
Vincent BindschaedlerJean-Pierre Hubaux
June 2011, WEIS’11
2
Impersonation
EavesdroppingModificationsAuthentication
ConfidentialityIntegrity
https://www.bankofamerica.com
HTTPS
Secure communicatione-banking, e-commerce, Web email, etc.Authentication,
HTTPS
Confidentialityand Integrity
HTTPS in practiceHTTPS is at the core of online businessesProvided security is dubious
Notably due to obscure certificate management
3
Research Questions
Q1: At which scale is HTTPS currently deployed?
Q2: What are the problems with current HTTPS deployment?
Q3: What are the underlying reasons that led to these problems?
4
Large-scale empirical analysis of the current deployment of HTTPS on the top 1 million
websites
Methodology1 million most popular websites (Alexa’s
ranking)
Connect to each website with HTTP and HTTPS
Store:URLsContent of Web pagesCertificates
5
Q1: At which scale is HTTPS deployed?
1/3 of websites can be browsed via HTTPS
6
Is this too much or too little?
HTTPS
34.7%
HTTP65.3%
Login Pages: HTTP vs. HTTPS
77.4% of websites may compromise users’ credentials!
7
HTTPS22.6%HTTP
77.4%
More Web pages should be served via HTTPS!
Q2: What are the problems with current HTTPS deployment?
HTTPS may fail due to:Server certificate-based authenticationCipher suites
The majority ( 70%) of websites use DHE-RSA-AES256-SHA cipher suite
8
?
X.509 Certificates: Bind a public key with an identity
Certificates issued by trusted Certification Authorities (CAs)
To issue a certificate, CAs should validate:1. The applicant owns the domain name2. The applicant is a legitimate and legally
accountable entity
9
Two-step validationBoA’s
identifying information & domain name www.bankofamerica.com
CA XYZBoA’s public
key KBoA
Certificates
Organization Validated (OV) certificates
10
Authentication
https://www.bankofamerica.com
Chain of trust Public keys of trusted CAs pre-installed in Web
browsers
Certificate-based Authentication
Browser: KCA
HTTPS
11
Authentication
https://icsil1mail.epfl.ch
Chain of trust cannot be verified by Web browsers
Self-signed Certificates
Browser: K
EPFL ?
??
Self-signed Certificates
12
Trusted CA
Not expiredDomain match
Successfulauthentication
Verifying X.509 Certificates
Authentication Success
14Total of 300’582 certificates
Authentication Failures
15Total of 300’582 certificates
Certificate Reuse Across Multiple Domains
Mostly due to Internet virtual hosting
16
Certificate Validity Domain Number of virtual hosts
*.bluehost.com 10’075*.hostgator.com 9’148
*hostmonster.com 4’954
Serving providers’ certs results in Domain Mismatch
Solution: Server Name Indication (SNI) – TLS extension47.6% of collected certificates are unique
Domain Mismatch: Unique Trusted Certificates
45.24% of unique trusted certs cause Domain Mismatch
17
Subdomain mismatch: cert valid for subdomain.host deployed on host and vice versa
Authentication Success
18Total of 300’582 certificates
Domain-validated only (DVO) certificates1. The applicant owns the domain name2. The applicant is a legitimate and legally
accountable entity Based on Domain Name Registrars and email
verification Problem: Domain Name Registrars are untrustworthy
Trusted DVO Certificates
Legitimacy of the certificate owner cannot be trusted!
Domain-validated Only (DVO)
20
Trusted
Organization NOT Validated
Organization Validated
Trusted
Organization Validated (OV)
Extended Validation (EV) Rigorous extended validation of the applicant
[ref]Special browser interface
Trusted EV Certificates
21
DVO vs. OV vs. EV Certificates
61% of certs trusted by browsers are DVO
22
Certs with successful authentication(48’158 certs)
5.7% of certs (OV+EV) provide organization validation
DVO61%EV
6%
OV33%
Research Questions
Q1: How is HTTPS currently deployed?1/3 of websites can be browsed via HTTPS77.4% of login pages may compromise users’
credentials
Q2: What are the problems with current HTTPS deployment?Authentication failures mostly due to domain
mismatchWeak authentication with DVO certificates
23
Q3: What are the underlying reasons that led to these problems?
EconomicsMisaligned incentives
Most website operators have an incentive to obtain cheap certs CAs have an incentive to distribute as many certs as possible
Consequence: cheap certs for cheap securityLiability
No or limited liability of involved stakeholdersReputation
Rely on subsidiaries to issue certs less rigorouslyUsability
More interruptions users experience, more they learn to ignore security warnings
Web browsers have little incentive to limit access to websites
24
New Third-Parties:Open websites managed by users, CAs or browser
vendorsIntroduce information related to performances of
CAs and websitesNew Policies:
Legal aspects CAs responsible for cert-based auth. Websites responsible for cert deployment
Web browser vendors limiting the number of root CAs Selection based on quality of certs
Authentication Success Rate wrt. CAs
Countermeasures
25
Conclusion
Large-scale empirical study of HTTPS and certificate-based authentication on 1 million websites
5.7% (18’785) implement cert-based authentication properlyNo browser warnings Legitimacy of the certificate owner verified
Market for lemonsInformation asymmetry between CAs and website
operatorsMost websites acquire cheap certs leading to
cheap securityChange policies to align incentives
26
Data available at:http://icapeople.epfl.ch/freudiger/
SSLSurvey
27
Trusted certificatesExtended Validation (EV) (extended validation)Organization Validated (OV) (two-step validation)Domain-validated only (DVO) (step 1. validation)
Untrusted (self-signed) certificates
Certificate Types
28
Certificate Type Pros Cons
EV Most trust Expensive
OV TrustedWeb browsers cannot
distinguish OV from DVO certificate
DVO Inexpensive Cannot guarantee legitimacy of the certificate owner
Self-signed No cost Not trusted by Web browsers
Domain Matching
Compare host to candidate fields: DNS Name (Alternative Name Certificate
Extension) Common Name (Subject)
Domain Match [RFC2459, RFC2818]:Host matches exactly one of the candidate
fields (case-insensitive)Host matches the regular expression given by
wildcard candidate fields (e.g., *.a.com matches foo.a.com but not
bar.foo.a.com)29
Authentication Success Rate wrt. CAs
30
Authentication Sucess Rate wrt. Countries
31
Authentication Sucess Rate wrt. Website Rank
32
Facebook Login Page
By default served with HTTPSource code of the login page:<div class="menu_login_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" ……>
33
http(s)://arbitraryServer/
Collected Data
Data collected for 1’000’787 unique hosts958’420 working hosts
1’032’019 Web pages with HTTP339’693 Web pages with HTTPSFollowing redirections, final pages are mostly
in the initial domain or in www subdomain
34
35
Verify How Success FailureValidity of Signatures
Open SSL verify tool
Valid chain of trust
Broken chain of trust
Trusted RootIs the root
among trusted root CAs?
Trusted Certificate
Untrusted Certificate
Validity Period Compare to the current date Not Expired Expired
Domain Matching
Compare host to
-CN subject-DNS name
Domain Match Domain Mismatch
Verifying X.509 Certificates
SSL Observatory [1]Crawl the IP address spaceCheck certificate properties
E.e., EV certificates non-compliant with the standard
We crawl different domainsCheck how certificates are used in practice
E.g., domain matching
36
Related Work
[1] The EFF SSL Observatory — Electronic Frontier foundation. http://www.eff.org/observatory
State of the Art - AttacksAttacks on HTTPS:
Attacking Root CAs [1]Attacking Weak Certificate Validation [2]
37
[1] C. Sogohian and S. Stamm, “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL,” in HotPETs, 2010. [2] SSL Certificate for Mozilla.com Issued Without Validation. http://www.sslshopper.com/article-ssl-certificate-for-mozilla.com-issued-without-validation.html
Domain Mismatch: Trusted Certificates74.5% of trusted certs cause Domain Mismatch
38
Lack subdomain redirection: cert valid for subdomain.host deployed on host
Wrong subdomain cert: cert valid for host deployed on subdomain.host
39