the inconvenient truth about web certificates

The Inconvenient Truth about Web Certificates

Nevena VratonjicJulien Freudiger

Vincent BindschaedlerJean-Pierre Hubaux

June 2011, WEIS’11

2

Impersonation

EavesdroppingModificationsAuthentication

ConfidentialityIntegrity

https://www.bankofamerica.com

HTTPS

Secure communicatione-banking, e-commerce, Web email, etc.Authentication,

HTTPS

Confidentialityand Integrity

HTTPS in practiceHTTPS is at the core of online businessesProvided security is dubious

Notably due to obscure certificate management

3

Research Questions

Q1: At which scale is HTTPS currently deployed?

Q2: What are the problems with current HTTPS deployment?

Q3: What are the underlying reasons that led to these problems?

4

Large-scale empirical analysis of the current deployment of HTTPS on the top 1 million

websites

Methodology1 million most popular websites (Alexa’s

ranking)

Connect to each website with HTTP and HTTPS

Store:URLsContent of Web pagesCertificates

5

Q1: At which scale is HTTPS deployed?

1/3 of websites can be browsed via HTTPS

6

Is this too much or too little?

HTTPS

34.7%

HTTP65.3%

Login Pages: HTTP vs. HTTPS

77.4% of websites may compromise users’ credentials!

7

HTTPS22.6%HTTP

77.4%

More Web pages should be served via HTTPS!

Q2: What are the problems with current HTTPS deployment?

HTTPS may fail due to:Server certificate-based authenticationCipher suites

The majority ( 70%) of websites use DHE-RSA-AES256-SHA cipher suite

8

?

X.509 Certificates: Bind a public key with an identity

Certificates issued by trusted Certification Authorities (CAs)

To issue a certificate, CAs should validate:1. The applicant owns the domain name2. The applicant is a legitimate and legally

accountable entity

9

Two-step validationBoA’s

identifying information & domain name www.bankofamerica.com

CA XYZBoA’s public

key KBoA

Certificates

Organization Validated (OV) certificates

10

Authentication

https://www.bankofamerica.com

Chain of trust Public keys of trusted CAs pre-installed in Web

browsers

Certificate-based Authentication

Browser: KCA

HTTPS

11

Authentication

https://icsil1mail.epfl.ch

Chain of trust cannot be verified by Web browsers

Self-signed Certificates

Browser: K

EPFL ?

??

Self-signed Certificates

12

Trusted CA

Not expiredDomain match

Successfulauthentication

Verifying X.509 Certificates

Authentication Success

14Total of 300’582 certificates

Authentication Failures

15Total of 300’582 certificates

Certificate Reuse Across Multiple Domains

Mostly due to Internet virtual hosting

16

Certificate Validity Domain Number of virtual hosts

*.bluehost.com 10’075*.hostgator.com 9’148

*hostmonster.com 4’954

Serving providers’ certs results in Domain Mismatch

Solution: Server Name Indication (SNI) – TLS extension47.6% of collected certificates are unique

Domain Mismatch: Unique Trusted Certificates

45.24% of unique trusted certs cause Domain Mismatch

17

Subdomain mismatch: cert valid for subdomain.host deployed on host and vice versa

Authentication Success

18Total of 300’582 certificates

Domain-validated only (DVO) certificates1. The applicant owns the domain name2. The applicant is a legitimate and legally

accountable entity Based on Domain Name Registrars and email

verification Problem: Domain Name Registrars are untrustworthy

Trusted DVO Certificates

Legitimacy of the certificate owner cannot be trusted!

Domain-validated Only (DVO)

20

Trusted

Organization NOT Validated

Organization Validated

Trusted

Organization Validated (OV)

Extended Validation (EV) Rigorous extended validation of the applicant

[ref]Special browser interface

Trusted EV Certificates

21

DVO vs. OV vs. EV Certificates

61% of certs trusted by browsers are DVO

22

Certs with successful authentication(48’158 certs)

5.7% of certs (OV+EV) provide organization validation

DVO61%EV

6%

OV33%

Research Questions

Q1: How is HTTPS currently deployed?1/3 of websites can be browsed via HTTPS77.4% of login pages may compromise users’

credentials

Q2: What are the problems with current HTTPS deployment?Authentication failures mostly due to domain

mismatchWeak authentication with DVO certificates

23

Q3: What are the underlying reasons that led to these problems?

EconomicsMisaligned incentives

Most website operators have an incentive to obtain cheap certs CAs have an incentive to distribute as many certs as possible

Consequence: cheap certs for cheap securityLiability

No or limited liability of involved stakeholdersReputation

Rely on subsidiaries to issue certs less rigorouslyUsability

More interruptions users experience, more they learn to ignore security warnings

Web browsers have little incentive to limit access to websites

24

New Third-Parties:Open websites managed by users, CAs or browser

vendorsIntroduce information related to performances of

CAs and websitesNew Policies:

Legal aspects CAs responsible for cert-based auth. Websites responsible for cert deployment

Web browser vendors limiting the number of root CAs Selection based on quality of certs

Authentication Success Rate wrt. CAs

Countermeasures

25

Conclusion

Large-scale empirical study of HTTPS and certificate-based authentication on 1 million websites

5.7% (18’785) implement cert-based authentication properlyNo browser warnings Legitimacy of the certificate owner verified

Market for lemonsInformation asymmetry between CAs and website

operatorsMost websites acquire cheap certs leading to

cheap securityChange policies to align incentives

26

Data available at:http://icapeople.epfl.ch/freudiger/

SSLSurvey

27

Trusted certificatesExtended Validation (EV) (extended validation)Organization Validated (OV) (two-step validation)Domain-validated only (DVO) (step 1. validation)

Untrusted (self-signed) certificates

Certificate Types

28

Certificate Type Pros Cons

EV Most trust Expensive

OV TrustedWeb browsers cannot

distinguish OV from DVO certificate

DVO Inexpensive Cannot guarantee legitimacy of the certificate owner

Self-signed No cost Not trusted by Web browsers

Domain Matching

Compare host to candidate fields: DNS Name (Alternative Name Certificate

Extension) Common Name (Subject)

Domain Match [RFC2459, RFC2818]:Host matches exactly one of the candidate

fields (case-insensitive)Host matches the regular expression given by

wildcard candidate fields (e.g., *.a.com matches foo.a.com but not

bar.foo.a.com)29

Authentication Success Rate wrt. CAs

30

Authentication Sucess Rate wrt. Countries

31

Authentication Sucess Rate wrt. Website Rank

32

Facebook Login Page

By default served with HTTPSource code of the login page:<div class="menu_login_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" ……>

33

http(s)://arbitraryServer/

Collected Data

Data collected for 1’000’787 unique hosts958’420 working hosts

1’032’019 Web pages with HTTP339’693 Web pages with HTTPSFollowing redirections, final pages are mostly

in the initial domain or in www subdomain

34

35

Verify How Success FailureValidity of Signatures

Open SSL verify tool

Valid chain of trust

Broken chain of trust

Trusted RootIs the root

among trusted root CAs?

Trusted Certificate

Untrusted Certificate

Validity Period Compare to the current date Not Expired Expired

Domain Matching

Compare host to

-CN subject-DNS name

Domain Match Domain Mismatch

Verifying X.509 Certificates

SSL Observatory [1]Crawl the IP address spaceCheck certificate properties

E.e., EV certificates non-compliant with the standard

We crawl different domainsCheck how certificates are used in practice

E.g., domain matching

36

Related Work

[1] The EFF SSL Observatory — Electronic Frontier foundation. http://www.eff.org/observatory

State of the Art - AttacksAttacks on HTTPS:

Attacking Root CAs [1]Attacking Weak Certificate Validation [2]

37

[1] C. Sogohian and S. Stamm, “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL,” in HotPETs, 2010. [2] SSL Certificate for Mozilla.com Issued Without Validation. http://www.sslshopper.com/article-ssl-certificate-for-mozilla.com-issued-without-validation.html

Domain Mismatch: Trusted Certificates74.5% of trusted certs cause Domain Mismatch

38

Lack subdomain redirection: cert valid for subdomain.host deployed on host

Wrong subdomain cert: cert valid for host deployed on subdomain.host

39