certificates in the wild - cs.umd.edu€¦ · certificates in the wild slides from •dave levin...
TRANSCRIPT
![Page 1: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/1.jpg)
Certificates in the wild
Slides from
• Dave Levin 414-spring2016
• Michelle Mazurek 414-fall2016
![Page 2: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/2.jpg)
Certificates in the wildThe lock icon indicates that the browser was able to authenticate the other end, i.e., validate its certificate
![Page 3: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/3.jpg)
Certificate chain
Subject (who owns thepublic key)
Issuer (who verified the identity and signed this certificate)
Common name: the URL of the subject
![Page 4: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/4.jpg)
![Page 5: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/5.jpg)
Serial number: Uniquely identifies this cert with respect to the issuer
(look for this in CRLs)
Not valid before/after: When tostart and stop believing this cert
(start & expiration dates)
The public key: And the issuer’ssignature of the public key
Signature algorithm: How theissuer will sign parts of the cert
![Page 6: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/6.jpg)
Subject Alternate Names:Other URLs for which this cert should be considered valid.
(wellsfargo.com is not the sameas www.wellsfargo.com)
Can include wildcards, e.g.,
*.google.com
CRL & OCSP:Where to go to check if this
certificate has been revoked
Non-cryptographic checksums
![Page 7: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/7.jpg)
Certificate typesWhy are these different?
This is an EV (extended validation) certificate; browsers show the
full name for these kinds of certs
![Page 8: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/8.jpg)
Root CAs
![Page 9: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/9.jpg)
Root CAs in iOS9
• iOS9 ships with >50 that start with A-C
• Full list at:https://support.apple.com/en-us/HT205205
![Page 10: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/10.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate
![Page 11: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/11.jpg)
Browser
Verifying certificates
Certificate“I’m because says so”
Certificate“I’m because says so”
“I’m because I say so!”Certificate
Root key storeEvery device has one
Must not contain
malicious certificates
![Page 12: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/12.jpg)
CA compromise!• 2001: Verisign issued two code-signing certificates for
Microsoft Corporation!• To someone who didn’t actually work at MS!• No functional revocation paradigm!
• 2011: Signing keys compromised at Comodo and DigiNotar!• Bad certs for Google, Yahoo!, Tor, others!• Seem to have been used mostly in Iran!
• Some CAs are less picky than others!
![Page 13: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/13.jpg)
Case study: Superfish (Feb 2015)!
• Lenovo laptops shipped with “Superfish” adware!
• Installs self-signed root cert into browsers!• MITM on every HTTPS site to inject ads!
• Worse: Same private key for every laptop!• Password = “komodia” (company!
• Lenovo“did not find any evidence to substantiate security concerns”
http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/!
http
://w
ww
.sai
ntel
daily
.com
/arc
hive
s/11
400!
![Page 14: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/14.jpg)
Heartbleed and Revocation
![Page 15: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/15.jpg)
Remember Heartbleed (2014)
• OpenSSL vulnerability
• Discovered 03/21 Public 04/07
• Potential compromise• 100ks hosts• 20M total certs• 1.5M certs for Alexa top 1M domains• 600k leaf certs• 165k domains
• Correct procedure: patch, revoke, reissue
![Page 16: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/16.jpg)
Why study Heartbleed?
03/21 04/02 04/07
DiscoveredAkamaipatched Publicly announced
03/21 04/02 04/07
DiscoveredAkamaipatched Publicly announced
1 Patched 2 Revoked 3 Reissued
Every vulnerable website should have:
Heartbleed is a natural experiment: How quickly and thoroughly do administrators act?
![Page 17: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/17.jpg)
Prevalence and patch rates
0
0.1
0.2
0.3
0.4
0.5
0.6
0 200000 400000 600000 800000 1e+06
Frac
tion
of D
omai
nsVu
lner
able
to H
eart
blee
d
Alexa Site Rank (bins of 1000)
Was ever vulnerableStill vulnerable
Patching rates are mostly positiveOnly ~7% had not patched within 3 weeks
Was ever vulnerableStill vulnerable after 3 weeks
![Page 18: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/18.jpg)
How quickly were certs revoked?
0
200
400
600
800
1000
1200
03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26
Num
ber o
f Dom
ains
/Day
Date
Reaction ramps up quickly
Security takes the weekends off
Weekends
![Page 19: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/19.jpg)
Certificate update rates
0.6 0.65
0.7 0.75
0.8 0.85
0.9 0.95
1
04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28
Frac
. of V
ulne
rabl
e C
erts
not R
evok
ed/R
eiss
ued
Date
Not reissued
Not revoked
3 wks
Similar pattern to patches: Exponential drop-off, then levels out
After 3 weeks: 13% Revoked 27% Reissued
![Page 20: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/20.jpg)
0
0.1
0.2
0.3
0.4
0.5
0.6
11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014
Frac
tion
of N
ew C
ertif
icat
esR
eiss
ued
with
the
Sam
e K
ey
Date of Birth
All reissuesHeartbleed-induced reissues
Reissue ⇒ New key?
Reissuing the same key is common practice
4.1% Heartbleed-induced
![Page 21: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/21.jpg)
The ugly truth of revocations
13% Revoked 27% Reissued93% Patched
• Administrators trade off security for ease of maintenance/cost• Certificate authorities trade off security for profit
Security is supposed to be a fundamental design goal, but
![Page 22: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/22.jpg)
0
0.2
0.4
0.6
0.8
1
0 1 2 3 4 5 6
CD
F
Years of Remaining Validity
Can we wait for expiration?
We may be dealing with Heartbleed for years
Vulnerable but not revoked
~40% of vulnerable certswill not expire for over 1 year
![Page 23: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/23.jpg)
How well do browsers check certificates
![Page 24: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/24.jpg)
Testing browser behavior
Revocationprotocols
• Browsers should support all major protocols• CRLs, OCSP, OCSP stapling
Availability of revocation info
• Browsers should reject certs they cannot check• E.g., because the OCSP server is down
Chain lengths
• Browsers should reject a cert if any on the chain fail• Leaf, intermediate(s), root
signs
Leaf
Root
Intermediate Intermediate…
![Page 25: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/25.jpg)
Results across all browsers
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 26: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/26.jpg)
Results across all browsers
Chrome
Generally, only checks for EV certs~3% of all certs
Allows if revocation info unavailable
Supports OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 27: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/27.jpg)
Results across all browsers
Firefox
Never checks CRLsOnly checks intermediates for EV certs
Allows if revocation info unavailable
Supports OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 28: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/28.jpg)
Results across all browsers
Safari
Checks CRLs and OCSP
Allows if revocation info unavailableExcept for first intermediate, for CRLs
Does not support OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 29: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/29.jpg)
Results across all browsers
Internet Explorer
Checks CRLs and OCSP
Often rejects if revocation info unavailablePops up alert for leaf in IE 10+
Supports OCSP stapling
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.
![Page 30: Certificates in the wild - cs.umd.edu€¦ · Certificates in the wild Slides from •Dave Levin 414-spring2016 •Michelle Mazurek 414-fall2016. ... Certificate “I’m because](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f0ff9dd7e708231d446d2b5/html5/thumbnails/30.jpg)
Results across all browsers
Mobile Browsers
Uniformly never check
Android browsers request Staple
…and promptly ignore it
✔ Passes test ✗ Fails test
ev Passes for EV certsi Ignores OCSP Staple
a Pops up alert to userl/w Passes on Linux/Win.