Bruce Maggs Duke University and Akamai Technologies Joint work with Frank Cangialosi Taejoong Chung Yabing Liu Will Tome Liang Zhang David Choffnes Dave Levin ID: 549916
Download Presentation The PPT/PDF document "The Web PKI in Practice and Malpractice" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
The Web PKI in Practice and Malpractice
Bruce Maggs
Duke University and Akamai Technologies
Joint work with Frank
Cangialosi
,
Taejoong
Chung,
Yabing
Liu
,
Will Tome, Liang
Zhang
,
David
Choffnes
,
Dave
Levin,
Alan
Mislove
, Aaron Schulman,
and
Christo Wilson
.Slide2
Public Key Infrastructures (PKIs)
Website
Browser
Certificate
Certificate
is indeed BoA
The owner of
Vetting
Certificate
How can users truly know with whom they are communicating?
Certificate Authority
public
privateSlide3
Public Key Infrastructures (PKIs)
Browser
Certificate Authority
Website
Certificate
How can users truly know with whom they are communicating?
Certificate
public
privateSlide4
Public Key Infrastructures (PKIs)
Browser
Certificate Authority
Website
Certificate
Certificate
✓
How can users truly know with whom they are communicating?
public
privateSlide5
Browser
Verifying certificates
Certificate
“I’m
because
says so”
Certificate
“I’m
because
says so”
“I’m
because I say so!”
Certificate
✓
✓
✓
Root key store
Every device has one
Must not contain
malicious certificatesSlide6
Certificate revocation
Browser
Certificate
Certificate Authority
Website
Certificate
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
✗
What happens when a certificate is no longer valid?
Certificate
✗
Attacker
Certificate
Certificate
Please
revoke
Certificate
Revocation
Periodically
pull / query
(CRL) (OCSP)
✗
✗Slide7
Certificate revocation
is a critical part of any PKI
Administrators must revoke and
reissue
as quickly as possible
Browsers/OSes should
obtain revocations
as quickly as possibleSlide8
But Checking Comes at a Cost
Website
Browser
Certificate
Certificate Authority
Browsers
want pages to load quickly
CAs
and mobile devices want to reduce bandwidth
costs
Certificate
Revoked?Slide9
Certificate
OCSP Stapling
Website
Browser
Certificate Authority
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
✗
Certificate
Certificate
✔
But OCSP Stapling rarely activated by admins:
Our scan: 3% of normal certs; 2% of EV certsSlide10
Testing browser behavior
Revocationprotocols
Browsers should support all major protocolsCRLs, OCSP, OCSP stapling
Availability of
revocation info
Browsers
should
reject certs they cannot check
E.g., because the OCSP server is down
Chain
lengths
Browsers
should reject a cert if any on the chain failLeaf, intermediate(s), root
signs
Leaf
Root
Intermediate
Intermediate
…Slide11
Test harnessImplemented 192 tests using
fake root certificate + JavascriptUnique DNS name, cert chain, CRL/OCSP responder, …Slide12
EV Certificates
More thorough vetting process of CAs and clients
Does the more thorough vetting process
translate into better
security practices
?
Website
Certificate Authority
Certificate
Vetting
Normal
Extended Validation
is indeed BoA
The owner of Slide13
Results across all browsers
Chrome
Generally, only checks for EV certs
~3% of all certs
Allows if revocation info unavailable
Supports OCSP stapling
Firefox
Never
checks CRLs
Only checks intermediates for EV certs
Allows if revocation info unavailable
Supports OCSP stapling
Safari
Checks CRLs and OCSP
Allows if revocation info unavailable
Except for first intermediate, for CRLs
Does
not
support OCSP stapling
Internet Explorer
Checks CRLs
and OCSP
Often rejects if revocation info unavailablePops up alert for leaf in IE 10+Supports OCSP stapling
Mobile Browsers
Uniformly
never
check
Android browsers request Staple
…and promptly ignore it
✔
Passes test
✗ Fails test
EV
Passes for EV certs
I
Ignores OCSP Staple
A
Pops up alert to user
L/W
Passes on Linux/Win.Slide14
Results across all browsers
✔ Passes test
✗
Fails test
EV
Passes for EV certs
I Ignores OCSP Staple
A
Pops up alert to user
L/W Passes
on Linux/Win.
Browser developers
are notdoing what the PKI needs them to doSlide15
No browser
correctly checks all revocations
Mobile browsers are completely negligent
IE is the most responsible (!?)
Browser developers are not
doing what the PKI needs them to do
Browsers/OSes should
obtain revocations
as quickly as possible
but they don’tSlide16
Surprising Fact #1Browsers on cell phones do not do any checking for certificate revocation
.
You don’t really know if you are visiting your bank’s web site.Slide17
Securing Private Keys
RFC 5208: …failure of users to protect their private keys will permit an
attacker to masquerade as them or decrypt their personal information.Slide18
Public Key Infrastructures (PKIs)
Website
Browser
Certificate
Certificate Authority
Vetting
How can users truly know with whom they are communicating?
Verification
Revocation
checking
Certificate
The only one who knows Alice’s private key is AliceSlide19
Public Key Infrastructures (PKIs)
Website
Browser
Certificate
Certificate Authority
Vetting
How can users truly know with whom they are communicating?
Verification
Revocation
checking
CDN
Certificate
Key sharing
The only one who knows Alice’s private key is AliceSlide20
How are keys shared?
Certificate
Delegate
Certificate
Certificate
DelegateSlide21
Why are CDNs holding private keys?
Website
Browser
CDN
Trend towards serving all content securely
Trend towards whole-site delivery through CDNs
TCP three-way handshake
TLS handshake
Persistent TCP Connection
Split TCPSlide22
How are keys shared?
Delegated
Vet
Issue
Copied
Vet &
issue
Upload
aws
Vet
Aggregated
IssueSlide23
Subject Alternate Name (SAN) Lists
Spirit:
Multiple names for thesame organizationSlide24
Subject Alternate Name (SAN) Lists
Spirit:
Multiple names for thesame organization
Practice:
Different organizations
lumped together
Who gets the private key?
Who manages it?
Cruise-liner CertificateSlide25
Domain equivalence
Given two domains, are they the same organization?
Same administrative domain
google.com
google.co.uk
google.de
zagat.com
golang.org
whois
Registrant Email:
Admin Email:
Tech Email:
dns-admin@google.com
Emails in
whois
records reflect administrative
domain
(or at least point of contact)
dns-admin@google.com
dns-admin@google.comSlide26
Domain equivalence
Given two domains, are they the same organization?
Same administrative domain
google.com
google.co.uk
google.de
zagat.com
golang.org
Registrant Email:
Admin Email:
Tech Email:
dns-admin@google.com
dns-admin@google.com
dns-admin@google.com
whois
whois
dns-admin@google.com
dns-admin@google.com
dns-admin@google.comSlide27
Domain equivalence
Given two domains, are they the same organization?
Same administrative domain
google.com
google.co.uk
google.de
zagat.com
golang.org
Registrant Email:
Admin Email:
Tech Email:
dns-admin@google.com
dns-admin@google.com
dns-admin@google.com
whois
whois
dns-admin@google.com
dns-admin@google.com
dns-admin@google.comSlide28
Domain equivalence
Given two domains, are they the same organization?
Same administrative domain
google.com
google.co.uk
google.de
zagat.com
golang.org
dns-admin@google.com
dns-admin@google.com
dns-admin@google.comSlide29
Domain equivalence challenges
Some admin overlap that doesn’t reflect website administration
google.comgoogle.co.uk
google.de
dns-admin@google.com
google.co.tz
support@itfarm.co.tz
peroniitaly.co.tz
ccops@markmonitor.com
okcupid.com
tommyhilfiger.fr
sonypictures.de
1,457Slide30
Domain equivalence challenges
Registrars hide customers behind common email addresses
Approach: Mark some email addresses as “non-permissible”whois@bluehost.com
23,276
contact@privacyprotect.org
14,145
proxy@whoisprotectservice.com
8,741Slide31
Domain equivalence challenges
Some admin overlap that doesn’t reflect website administration
Strongly connected
Strongly connected
Weakly connected
Approach: Iteratively apply a clustering algorithm to cull edgesSlide32
Domain equivalence results
..certs with
no SAN list
Total # of..
#Domains on..
..certs with
one-org SAN
..certs with
multiple orgs
203,394
4,692,393
161,810
124,746
2,265,090
305,904
#Orgs on..
109,994
1,994,279
255,901Slide33
Domain equivalence results
..certs with
no SAN list
Total # of..
#Domains on..
..certs with
one-org SAN
..certs with
multiple orgs
203,394
4,692,393
161,810
124,746
2,265,090
305,904
#Orgs on..
109,994
1,994,279
255,901
3% of all valid certificates violate
the typical one-organization assumptionSlide34
Domain equivalence
dogchow.com
whois
Registrant Email: domain_names@
Admin Email: iadmincontact@
Tech Email: DSU.ServiceDelivery@
nestle.com
purina.com
nestle.comSlide35
Domain equivalence
dogchow.com
nestle.com
purina.com
nestle.comSlide36
Domain equivalence
dogchow.com
nestle.com
purina.com
nestle.com
nwnasourceblog.com
mycatperksnatural.com
nestle.com
purinaone.co.nz
purina.comSlide37
161,812 (3.2%) certificates contain multiple organizations
CloudFlare
Expected behavior (96.8%)
Maximum: 310Slide38
Use of Cruise-Liner CertificatesWhy do some CDNs put domains from different organizations on the same certificates while others do not?
Windows XP artifact: no support for the TLS “Server Name Indication” extensionTo avoid an error, the Web server must provide the correct certificate to the Windows XP browser without any hint of which domain is to be requestedKludge: serve certificates for different domains from different network addressesOne CDN has quietly amassed over 10M IPv4 addresses for this purposeSlide39
Keys have been heavily aggregated
secureserver.net
unifiedlayer.com
amazonaws.com
CloudFlareInc.
RackspaceHosting.
akamaitechnologies.com
266,110
151,628
117.229
78,369
54,158
15,440
…
…
#Organizations
Hosting provider
277,891
175,089
122,158
87,077
63,418
22,671
…
#DomainsSlide40
Key sharing makes ripe targets of attack
60% of the most popular websites
are hosted on the same providerSlide41
Key sharing in the web’s PKI
How often do organizations
share their private keys?
50% share with ≥1 provider
Most
and
least
popular
websites are more likely to share
How many keys have
providers aggregated?
Some providers have 100k+
Aggregation has made themripe targets for attackSlide42
Surprising Fact #2Some hosting companies have copies of the private keys belonging to thousands of other organizations.
A compromise of any one of these hosting companies would be catastrophic for web security.Slide43
Taken for Granted
A browser can only verify that it is talking to the desired web site if it receives a valid certificate.Slide44
Certificate Scan Corpus
Scan all of IPv4 port 443156 scans by U. MichiganJune 2012-Jan 201474 scans by Rapid7October 2013-March 201580.4M distinct certificates seenSlide45
Invalid Certificates72.4M invalid (90.0%)
67% per scan (median)85.6% self-signed11.6% signed by untrusted certificate 2.3% otherwise valid but expiredSlide46
Issuers of CertificatesSlide47
Networks Hosting CertificatesSlide48
Devices Issuing Invalid Certificates(top 50 issuers)
Merck-
Stadion am BöllenfalltorSlide49
Sharing A Public/Private Key PairA single public key appears in 4,586,469 invalid certificates (6.5%). The corresponding devices must also share the same private key.
All issued by Lancom Systems, a Germany company that makes home routers.Slide50
Leverage Compromised Home Cable Modems/RoutersSlide51
Account Takeover Campaign Attack ArchitectureSlide52
Attacking IP Persistence: Finance Customer
427,444,261 Accounts Checked
75% Multi-day AttackersSlide53
Surprising Fact #3
Over 90% of default certificates served in complete scans of IPv4 port 443 were invalid!
The corresponding “web sites” cannot
be authenticated.Slide54
Room for improvement
securepki.org
We want to
understand
and
improve
No browser fully checks for revocations
(and IE is the best!)
CDNs and other hosting providers
play
a
highly trusted
role
in the PKI
Can new protocols mitigate the need for key sharing?
90% of certificates in use don’t permit authentication