Web PKI: Closing the Gap between Guidelines and Practices

Delignat-Lavaud, Antoine; Abadi, Martı́n; Birrell, Andrew; Mironov, Ilya; Wobber, Ted; Xie, Yinglian

doi:10.14722/ndss.2014.23305

Cited by 27 publications

(19 citation statements)

References 14 publications

(11 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Large-scale surveys of SSL certificates “in the wild” can be found in [19, 25, 27, 78]. Because their objective is to collect and analyze certificates, not to find certificate validation errors in SSL/TLS implementations, they are complementary to this paper: for example, their certificate corpi can be used to “seed” frankencert generation (Section VII).…”

Section: Related Workmentioning

confidence: 99%

Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations

Brubaker

Jana

Ray

et al. 2014

2014 IEEE Symposium on Security and Privacy

165

View full text Add to dashboard Cite

Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network attacks. This protection critically depends on whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol.We design, implement, and apply the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations. Our first ingredient is "frankencerts," synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints. Our second ingredient is differential testing: if one SSL/TLS implementation accepts a certificate while another rejects the same certificate, we use the discrepancy as an oracle for finding flaws in individual implementations.Differential testing with frankencerts uncovered 208 discrepancies between popular SSL/TLS implementations such as OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL, etc. Many of them are caused by serious security vulnerabilities. For example, any server with a valid X.509 version 1 certificate can act as a rogue certificate authority and issue fake certificates for any domain, enabling man-in-the-middle attacks against MatrixSSL and GnuTLS. Several implementations also accept certificate authorities created by unauthorized issuers, as well as certificates not intended for server authentication.We also found serious vulnerabilities in how users are warned about certificate validation errors. When presented with an expired, self-signed certificate, NSS, Safari, and Chrome (on Linux) report that the certificate has expired-a low-risk, often ignored error-but not that the connection is insecure against a man-in-the-middle attack.These results demonstrate that automated adversarial testing with frankencerts is a powerful methodology for discovering security flaws in SSL/TLS implementations.

show abstract

Section: Related Workmentioning

confidence: 99%

Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations

Brubaker

Jana

Ray

et al. 2014

2014 IEEE Symposium on Security and Privacy

165

View full text Add to dashboard Cite

show abstract

“…We assume a rough upper bound of 10 million certificates [6] each representing a unique domain name, though this number will likely be much less since DSFs are only intended to be used during the deployment process. Then for a 1% false positive rate the size of a DSF should be at most 13 MB, which is well below the storage limit of modern client machines.…”

Section: Benefitsmentioning

confidence: 99%

Deployment challenges in log-based PKI enhancements

Matsumoto

Szałachowski

Perrig

2015

Proceedings of the Eighth European Workshop on System Security

View full text Add to dashboard Cite

Log-based PKI enhancements propose to improve the current TLS PKI by creating public logs to monitor CA operations, thus providing transparency and accountability. In this paper we take the first steps in studying the deployment process of log-based PKI enhancements in two ways. First, we model the influences that parties in the PKI have to incentivize one another to deploy a PKI enhancement, and determine that potential PKI enhancements should focus their initial efforts on convincing browser vendors to deploy. Second, as a promising vendor-based solution we propose deployment status filters, which use a Bloom filter to monitor deployment status and efficiently defend against downgrade attacks from the enhanced protocol to the current TLS PKI. Our results provide promising deployment strategies for log-based PKI enhancements and raise additional questions for further fruitful research.

show abstract

“…We can easily build statistics about the number of domains found in publicly trusted certificates issued between July 2012 and July 2013 based on data collected in [9]. The results, depicted in Figure 6, show that about 40% of issued certificates are valid for a single domain; however, about 10% of them contain a wildcard.…”

Section: Multi-domain Certificatesmentioning

confidence: 99%

“…It is tempting to argue that the fact these domains appear in the same certificate is a clue that their sharing of some TLS session-specific attributes could be acceptable, but we stress that it is in fact not the case. For instance, recall from Section 2 that CloudFlare uses shared certificates that cover dozens of customers' domains [9,35]. In fact, it is common on today's web to connect to a website whose certificate is shared with a malicious, attacker-controlled domain.…”

Section: Connection Sharing In Spdy and Http/2mentioning

confidence: 99%

“…Recent measurement studies of TLS certificate issuance [8,9] show that a majority of newly issued certificates are valid for more than one domain name, with a significant number of them containing at least one wildcard. For example, all the front-end Google servers share a certificate that covers *.google.com as well as 50 other DNS names, many with wildcards.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

Delignat-Lavaud

Bhargavan

2015

Proceedings of the 24th International Conference on World Wide Web

Self Cite

View full text Add to dashboard Cite

We investigate current deployment practices for virtual hosting, a widely used method for serving multiple HTTP and HTTPS origins from the same server, in popular content delivery networks, cloud-hosting infrastructures, and web servers. Our study uncovers a new class of HTTPS origin confusion attacks: when two virtual hosts use the same TLS certificate, or share a TLS session cache or ticket encryption key, a network attacker may cause a page from one of them to be loaded under the other's origin in a client browser. These attacks appear when HTTPS servers are configured to allow virtual host fallback from a client-requested, secure origin to some other unexpected, less-secure origin. We present evidence that such vulnerable virtual host configurations are widespread, even on the most popular and securityscrutinized websites, thus allowing a network adversary to hijack pages, or steal secure cookies and single sign-on tokens. To prevent our virtual host confusion attacks and recover the isolation guarantees that are commonly assumed in shared hosting environments, we propose fixes to web server software and advocate conservative configuration guidelines for the composition of HTTP with TLS.

show abstract

Web PKI: Closing the Gap between Guidelines and Practices

Cited by 27 publications

References 14 publications

Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations

Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations

Deployment challenges in log-based PKI enhancements

Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

Contact Info

Product

Resources

About