an end-to-end measurement of certiﬁcate revocation in the ... · an end-to-end measurement of...

An End-to-End Measurement of Certificate Revocation in the Web’s PKI

Yabing Liu*, Will Tome*, Liang Zhang*, David Choffnes*, Dave Levin†, Bruce Maggs‡, Alan Mislove*, Aaron Schulman§, Christo Wilson*

*Northeastern University †University of Maryland§Stanford University‡Duke University and Akamai Technologies

Public Key Infrastructures (PKIs)

WebsiteBrowser

How can users truly know with whom they are communicating?

2


WebsiteBrowser

Certificate Authority


2


WebsiteBrowser

Certificate AuthorityVetting


2


WebsiteBrowser

Certificate

is indeed BoA

The owner of Certificate Authority


2


WebsiteBrowserCertificate


Certificate


2

Certificate revocation

Browser


WebsiteCertificate

What happens when a certificate is no longer valid?

3


Browser


WebsiteCertificate


AttackerCertificate

3


Browser



Attacker

Certificate

3


Browser



Attacker

CertificateCertificate

3


Browser



Certificate✗

Attacker


Pleaserevoke

Certificate Revocation

3


Browser

Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗

Certificate✗Certificate✗


Attacker


Pleaserevoke

3


Browser




Attacker


Pleaserevoke

Periodicallypull / query

(CRL) (OCSP)

3


BrowserCertificate




Attacker


Pleaserevoke

Periodicallypull / query

(CRL) (OCSP)

✗✗

3

Certificate revocation responsibilities

4

This talk: Do these entities do what they need to do?

Administrators must revoke certificateswhen keys are compromised

Certificate✗Certificate authorities must publish revocationsas quickly as possible

Browsers must check revocation statuson each connection

Outline

5

Website admin behaviore.g., what is the frequency of revocation?

Certificate✗Certificate authorities behavior

e.g., how CAs serve revocations?

Client behaviore.g., do browsers check revocations?

Dataset

Rapid7IPv4scans

38M certs(~1/wk for 18mos)

6

Dataset

Rapid7IPv4scans


Non-CA

38M certs

CA

1,946 certs

classify

6

validate Leaf Set

5M valid certs

Dataset

Rapid7IPv4scans


Non-CA

38M certs

CA

1,946 certs

classify

6

validate Leaf Set

5M valid certs

Dataset

Rapid7IPv4scans


Non-CA

38M certs

CA

1,946 certs

classify

Download revocation information daily

6

How frequently are certificates revoked?

7

0.0

2.0

4.0

6.0

8.0

10.0

12.0

01/14 03/14 05/14 07/14 09/14 11/14 01/15 03/15

Perc

en

tag

e o

f F

resh

Cert

sth

at

are

Revo

ked

Date


7

Significant fraction of certificates revoked1% in steady state; more than 8% after Heartbleed

0.0

2.0

4.0

6.0

8.0

10.0

12.0

01/14 03/14 05/14 07/14 09/14 11/14 01/15 03/15

Perc

en

tag

e o

f F

resh

Cert

sth

at

are

Revo

ked

Date


8

Over 0.5% advertised certificates are revokedWebsite admins failed to update their servers

0.000

0.001

0.002

0.003

0.004

0.005

0.006

01/14 03/14 05/14 07/14 09/14 11/14 01/15 03/15

Fra

cti

on

of

Alive C

ert

sth

at

are

Revo

ked

Date

CRLs, OCSP, and OCSP Stapling




Certificate✗ Certificate✗Certificate✗ Certificate✗


9








9

Cost of obtaining CRLs

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

1

0.1 1 10 100 1000 10000

CD

F

CRL Size (KB)

10


0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

1

0.1 1 10 100 1000 10000

CD

F

CRL Size (KB)

76MB Apple CRL

10


0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

1

0.1 1 10 100 1000 10000

CD

F

CRL Size (KB)

RawWeighted

Most CRLs small, but large CRLs downloaded more oftenResult: 50% of certs have CRLs larger than 45KB

76MB Apple CRL

10

CRLs from different CAs

CA Unique CRLs

Certificates Avg. CRLsize (KB)Total Revoked

GoDaddy 322 1,050,014 277,500 1,184.0

RapidSSL 5 626,774 2,153 34.5

Comodo 30 447,506 7,169 517.6

PositiveSSL 3 415,075 8,177 441.3

Verisign 37 311,788 15,438 205.2

CAs use only a small number of CRLs11


12

WebsiteBrowser


Certificate


12

WebsiteBrowser




12

WebsiteBrowser


CertificateCertificate Certificate


12

WebsiteBrowser


Certificate

Certificate

Certificate

Certific✗Certific /✔Certificate✗ Certificate✗Certificate✗ Certificate✗




12

WebsiteBrowser


Certificate Certificate

Certific✗Certific /✔




OCSP prevalence

13

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

01/11 07/11 01/12 07/12 01/13 07/13 01/14 07/14 01/15

Frac

tion

of N

ew C

ertif

icat

esw

ith R

evoc

atio

n In

form

atio

n

Date Certificate Issued

CRL

OCSP

OCSP prevalence

13

0.65

0.7

0.75

0.8

0.85

0.9

0.95

1

01/11 07/11 01/12 07/12 01/13 07/13 01/14 07/14 01/15

Frac

tion

of N

ew C

ertif

icat

esw

ith R

evoc

atio

n In

form

atio

n

Date Certificate Issued

CRL

OCSP

RapidSSL begins

supporting OCSP

OCSP now universally supported


14

WebsiteBrowser





14

WebsiteBrowser




Certificate


14

WebsiteBrowser




Certificate

Certific✔

Limited OCSP Stapling Support

• IPv4 TLS Handshake scans by University of Michigan on 3/28/15• Every IPv4 server on port 443• Look for OCSP stapling support

• 2.2M valid certificates• 5.19% served by at least one server supports OCSP Stapling• 3.09% served by servers that all support OCSP Stapling

15

Website admins rarely enable OCSP Stapling

Outline

16

Website admin behaviore.g., revocation is common ~8%

Certificate✗Certificate authorities behavior

e.g., high cost in distributing revocation info

Client behaviore.g., do browsers check revocations?

What’s the concern of browsers?

17

WebsiteBrowser

Certificate


What’s the concern of browsers?

17

WebsiteBrowser

Certificate


On the web, latency is king

Browsers face tension between security and speedMust contact CA to ensure cert not revoked

Test harness

Goal: Test browser behavior under different combinations of:• Revocation protocols• Availability of revocation information• Chain lengths• EV/non-EV certificates

18

Normal

Extended Validation

Implement 244 tests using fake root certificate + Javascript• Unique DNS name, cert chain, CRL/OCSP responder, …

Do browsers check revocations?

Supports CRLs

Desktop: Mobile:

Supports OCSP

Desktop: Mobile:

Supports OCSP Stapling

Desktop: Mobile:

19


Supports CRLs

Desktop: Mobile:

Supports OCSP

Desktop: Mobile:


Desktop: Mobile:

19

✗ ✗ ✗✗~EV

only


Supports CRLs

Desktop: Mobile:

Supports OCSP

Desktop: Mobile:


Desktop: Mobile:

19

✗ ✗ ✗✗~EV

only

✗ ✗ ✗~EV

only


Supports CRLs

Desktop: Mobile:

Supports OCSP

Desktop: Mobile:


Desktop: Mobile:

19

✗ ✗ ✗✗~EV

only

✗ ✗ ✗~EV

only

✗ ✗ ✗✗

20

Check intermediate

Revocation unavailable

Desktop:

Do browsers check intermediates?

Desktop: Mobile:

Mobile:

20

Check intermediate


Desktop:


Desktop: Mobile:

Mobile:

✗ ✗ ✗EV EV

OCSP

20

Check intermediate


Desktop:


Desktop: Mobile:

Mobile:

✗ ✗ ✗EV EV

OCSP

✗ ✗ ✗✗EV CRL

CRL

20

Check intermediate


Desktop:


Desktop: Mobile:

Mobile:

✗ ✗ ✗EV EV

OCSP

✗ ✗ ✗✗EV CRL

CRL

No browser correctly checks all revocations

Takeaways

Revocations common ~1% in steady state; more than 8% after Heartbleed

Obtaining revocation information can be expensive CRLs large, OCSP Stapling rarely supported

Many browsers don’t bother to check revocationMobile browsers completely lack of revocation checking

21

CRLSet

22

Chrome pushes out list of select revocations, called CRLSet

Chromium developers only state:

The full list [of covered CRLs] isn’t public

CRLs on the list are fetched infrequently

Entries in the CRL are filtered by reason code.

Size limited to 250 KB

1

2

3

4

CRLSet coverage

23

Only 0.35% of all revocations appear in CRLSet

Only 295 (10.5%) CRLs have any revocations covered

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 0.2 0.4 0.6 0.8 1

CD

F

Fraction of CRLs’ Entries in CRLSet

CRLSet Reason Codes

CRLSet coverage

23

Only 0.35% of all revocations appear in CRLSet

Only 295 (10.5%) CRLs have any revocations covered

CRLSet only has a low coverage

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 0.2 0.4 0.6 0.8 1

CD

F

Fraction of CRLs’ Entries in CRLSet

CRLSet Reason Codes

More results in the paper

• Analysis of EV certificate revocation

• Revoked but alive certificates

• Improve CRLSets with Bloom Filters and more …

24

Summary

• An end-to-end measurement of certificate revocation in the web• Covers all parties: website administrators, CAs and browsers

• Key findings• Extensive inaction with respect to certificate revocation• Browsers fails to check certificate revocation• Mobile browsers are lack of revocation checking

• We can improve• CAs can maintain more small CRLs• Website admins can deploy OCSP stapling

25

Summary

• An end-to-end measurement of certificate revocation in the web• Covers all parties: website administrators, CAs and browsers

• Key findings• Extensive inaction with respect to certificate revocation• Browsers fails to check certificate revocation• Mobile browsers are lack of revocation checking

• We can improve• CAs can maintain more small CRLs• Website admins can deploy OCSP stapling

25

Questions?

securepki.org

http://securepki.org

an end-to-end measurement of certiﬁcate revocation in the ... · an end-to-end measurement of...

Documents