analysis of the https certificate ecosystem
play

Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James - PowerPoint PPT Presentation

Jun 29, 2023 •196 likes •449 views

Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J. Alex Halderman University of Michigan Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric HTTPS and TLS How does HTTPS and the CA ecosystem

  1. Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric, James Kasten, Michael Bailey, J. Alex Halderman University of Michigan Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  2. HTTPS and TLS How does HTTPS and the CA ecosystem fit into our daily lives? Nearly all secure web communication relies on HTTPS - online banking, e-mail, e-commerce transactions, etc. HTTPS provides confidentiality, integrity, and authentication HTTPS is dependent on a supporting PKI – thousands of certificate authorities we rely on to vouch for sites’ identities The supporting PKI is opaque – we blindly rely on these CAs There has been much previous work including including the EFF’s SSL Observatory, Holz et al. at IMC, and Akhawe et al. at WWW Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  3. Talk Outline 1. HTTPS Background 2. Data Collection Methodology 3. Identifying Trusted Authorities 4. Worrisome Trends and Observations 5. How can we make the HTTPS ecosystem more secure? Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  4. Certificate Authorities How do certificates provide authentication? Web browsers trust certificate authorities to investigate and vouch for the identities of Web Brower trusted websites CAs vouch for a website’s identity by CA Certificate signing digital certificates with a browser trusted certificate and key Website Website Web browsers store a list of these trusted authorities’ certificates known as roots Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  5. Intermediate Authorities How do intermediate authorities fit into the picture? Root authorities delegate the Web Browser ability to sign certificates to intermediate authorities Root Certificate Root Certificate Intermediate Intermediate Website Website Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  6. Intermediate Authorities How do intermediate authorities fit into the picture? Root authorities delegate the Web Browser ability to sign certificates to intermediate authorities Root Certificate Root Certificate In all but a handful of cases, intermediates can sign for US Gov’t Google certificates for any domain google.com google.com Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  7. Intermediate Authorities How do intermediate authorities fit into the picture? Root authorities delegate the Web Browser ability to sign certificates to intermediate authorities ✓ Root Certificate Root Certificate In all but a handful of cases, ? intermediates can sign for US Gov’t Google certificates for any domain ? Non-roots aren’t publicly known google.com google.com until they are found in the wild Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  8. Intermediate Authorities How do intermediate authorities fit into the picture? Web Browser ✓ Hundreds of roots ? Thousands of intermediates ? Millions of leaf certificates Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  9. Talk Outline 1. HTTPS Background 2. Data Collection Methodology 3. Identifying Trusted Authorities 4. Worrisome Trends and Observations 5. How can we make the HTTPS ecosystem more secure? Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  10. Dataset and Methodology How do we measure the certificate authority ecosystem? We performed 110 scans of the IPv4 address space over an 18 month period using ZMap, OpenSSL, and libevent Completed 1.8 billion TLS handshakes and collected certificates We collected: - 42 million unique certificates - 6.9 million browser trusted from 109 million hosts Dataset available at https://scans.io and code at https://zmap.io Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  11. Responsible Data Collection How do we reduce the impact of active scanning? Reducing Scan Impact Scan in random order and at a reduced scan rate Signal benign nature over HTTP, DNS, and WHOIS Honor all requests to be excluded from future scans Excluded Networks Correspondence with 145 individuals and organizations Excluded 91 networks (.11% of the address space) 2 requests from ISPs account for 50% of addresses Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  12. Talk Outline 1. HTTPS Background 2. Data Collection Methodology 3. Identifying Trusted Authorities 4. Worrisome Trends and Observations 5. How can we make the HTTPS ecosystem more secure? Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  13. Identifying Trusted Authorities Who do we trust to sign a certificate for any website? Identified 1,832 CA certificates CAs by Organization Type belonging to 683 organizations Academic Institutions 40% Commercial Authorities 20% 80% of the organizations Governments 12% were not commercial CAs Corporations 12% Other Types 16% Organizations included religious CAs by Owning Country institutions, libraries, cities, United States 30% corporations, and non-profits Germany 21% France 4% CA certificates were owned by Japan 3% organizations in 57 countries Other Countries 42% Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  14. The Path to Power How are organizations obtaining CA certificates? 311 (45%) of the organizations were provided certificates by German National Research and Education Network (DFN) A large number of root CAs have provided CA certificates to unrelated third-party organizations and governments Largest were GTE CyberTrust Solutions (Verizon) and Comodo - Provided unrestricted CA certificates to 62 organizations Financial institutions (e.g. Visa) and some countries used CA certificates included in each brower root store Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  15. Distribution of Trust Who do we trust on a day-to-day basis? Large companies have 1 acquired smaller CAs 0.9 0.8 75% are signed by Comodo, 0.7 Signed Certificates 0.6 Symantec, and GoDaddy 0.5 0.4 90% are descendants of 4 roots 0.3 0.2 Certificate Authorities 90% are signed by 40 0.1 Root Certificates Intermediate Certificates 0 intermediates 0 5 10 15 20 25 30 35 40 45 50 n most popular 26% are signed by a single intermediate certificate Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  16. Talk Outline 1. HTTPS Background 2. Data Collection Methodology 3. Identifying Trusted Authorities 4. Worrisome Trends and Observations 5. How can we make the HTTPS ecosystem more secure? Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  17. Misaligned Objectives CAs are providing services that harm the HTTPS ecosystem Only 7 of the CA certificates we found had a name constraints - All other organizations can sign for any domain Only 40% of CA certificates had a length constraint - All other organizations can create new CA certificates Almost 5% of certificates are trusted for a local domain - e.g. mail , exchange , and intranet - provide no actual protection against attackers Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  18. Community Shortsightedness We are not considering the long-term consequences today CA certificates are being issued 1 for 40+ years in the future 0.9 0.8 Certificate Authorities 0.7 49% of certificates have a 0.6 1024-bit key in their trust chain 0.5 0.4 0.3 In 2012, 1.4 million signed new 0.2 certificates were signed using a 0.1 NIST recommended end of 1024-bit key usage 0 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 1024-bit root authority Years until Expiration 70% of trusted CA using a 1024-bit 15 organizations provide no key certificates expire after 2016 avenues for revocation Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  19. Client Deployment Difficulties It remains difficult for end-users to correctly deploy HTTPS 13% of hosts serving once trusted CAs by Owning Country certificates are misconfigured Expired 6% 20% of hosts remove expired Not Yet Valid .02% Revoked .3% certificates after expiration Incorrect Intermediates 7% or revocation Unnecessary Root 42% 47 of the signing certificates were Optimal Configuration 45% not for web traffic due to end users using code signing keys, etc. Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  20. Impact of the Lack of Oversight What is the real world impact of these observations? We are making errors on a day-to-day basis There’s has been an impact to ignoring our community’s guidelines such as least privilege and defense in depth Case 1: A mis-issued CA certificate issued by Turktrust to a transit authority that was revoked after signing for *.google.com Case 2: South Korea misissued 1,400 CA certificates that were prevented from causing harm by a root length constraint Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

  21. Talk Outline 1. HTTPS Background 2. Data Collection Methodology 3. Identifying Trusted Authorities 4. Worrisome Trends and Observations 5. How can we make the HTTPS ecosystem more secure? Analysis of the HTTPS Certificate Ecosystem Zakir Durumeric

Recommend

Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Fast Internet-Wide Scanning, ZMap Weak Keys and the HTTPS Certificate Ecosystem Zakir Durumeric Michael Bailey University of Michigan ZMap: Fast Internet-Wide Scanning, Weak Keys, and the HTTPS Certificate Ecosystem Zakir Durumeric

491 views • 46 slides
Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson How do we know with whom we are communicating? How do we know

1.21k views • 119 slides
Autenticando microservices usando HTTPS/SSL Cielo Lio Magno Costa magnocosta.br @magnocosta_br

Autenticando microservices usando HTTPS/SSL Cielo Lio Magno Costa magnocosta.br @magnocosta_br

Autenticando microservices usando HTTPS/SSL Cielo Lio Magno Costa magnocosta.br @magnocosta_br @magnocosta Certificate Certificate Authority Certificate Sign Request Client Certificate Microservices + HTTPS Certificate - CRT Subtitulo

1.01k views • 78 slides
Tab Q, No. 4(a) https://www.st.nmfs.noaa.gov/ecosystems/ebfm/ebfm-myths Several Ecosystem Type

Tab Q, No. 4(a) https://www.st.nmfs.noaa.gov/ecosystems/ebfm/ebfm-myths Several Ecosystem Type

Tab Q, No. 4(a) https://www.st.nmfs.noaa.gov/ecosystems/ebfm/ebfm-myths Several Ecosystem Type Initiatives Ecosystem Status Report Ecosystem Regional Roadmap National Ecosystem Policy January 2018 S taff outlined other

310 views • 12 slides
Some tales about TLS Hanno B ock https://hboeck.de/ 1 / 60 Introduction Certificate

Some tales about TLS Hanno B ock https://hboeck.de/ 1 / 60 Introduction Certificate

Introduction Certificate Authorities Algorithms Attacks HTTPS by default Future Final remarks Some tales about TLS Hanno B ock https://hboeck.de/ 1 / 60 Introduction Certificate Authorities Algorithms How broken is TLS? Attacks

1.23k views • 60 slides
Gender-diversity analysis of technical contributions (In the Hadoop Ecosystem) ApacheCon,

Gender-diversity analysis of technical contributions (In the Hadoop Ecosystem) ApacheCon,

Gender-diversity analysis of technical contributions (In the Hadoop Ecosystem) ApacheCon, Sevilla 2016 Daniel Izquierdo Cortzar @dizquierdo dizquierdo at bitergia dot com https://speakerdeck.com/bitergia Outline Introduction First Steps

471 views • 44 slides
msroot@microsoft.com https://docs.microsoft.com/en-us/ https://aka.ms/RootCert

msroot@microsoft.com https://docs.microsoft.com/en-us/ https://aka.ms/RootCert

msroot@microsoft.com https://docs.microsoft.com/en-us/ https://aka.ms/RootCert https://aka.ms/auditreqs Removal of root from the Certificate Trust List (CTL). All certificates no longer trusted Introduced in Windows10RS1. Disables all

381 views • 6 slides
LUM-ECOS: Land Use Modelling for ECOSystem analysis Preference and choice modelling in land-use

LUM-ECOS: Land Use Modelling for ECOSystem analysis Preference and choice modelling in land-use

LUM-ECOS: Land Use Modelling for ECOSystem analysis Preference and choice modelling in land-use and ecosystem analysis Davide Martinetti Ecodeveloppement Unit - INRA PACA - Avignon Barcelona - Octuber 12, 2015 Objective of the project

347 views • 11 slides
Certificate Authorities and SSL/TLS/HTTPS Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu

Certificate Authorities and SSL/TLS/HTTPS Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu

CSE 484 / CSE M 584: Computer Security and Privacy Certificate Authorities and SSL/TLS/HTTPS Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

622 views • 44 slides
Search API ecosystem in Drupal 8 Joris Vercammen | @borisson Site building https:/

Search API ecosystem in Drupal 8 Joris Vercammen | @borisson Site building https:/

Search API ecosystem in Drupal 8 Joris Vercammen | @borisson Site building https:/ /events.drupal.org/dublin2016/sessions/search-api-ecosystem-drupal-8 Search API Search API Solr Facets More addon modules Custom code

1.2k views • 71 slides
MORPHotype EcOSystem design remote definition based on big data morphology and use ecosystem

MORPHotype EcOSystem design remote definition based on big data morphology and use ecosystem

MORPHotype EcOSystem design remote definition based on big data morphology and use ecosystem for creative industries Alessandro Canepa alessandro@i-dealsrl.com +39 338 6426165 https://www.youtube.com/watch?v=9AFWaKUTxn4 Consortium The

216 views • 19 slides
Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR

Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR

Fintech Certificate Fintech Certificate Fintech Certificate 2 Investment Case The AtonR Fintech Index is a long-only, USD-based, actively managed total return index. The pace of innovation in financial technology (Fintech) has been

616 views • 26 slides
Ecosystem Services in the Greater Houston Region A case study analysis and recommendations for

Ecosystem Services in the Greater Houston Region A case study analysis and recommendations for

Ecosystem Services in the Greater Houston Region A case study analysis and recommendations for policy initiatives Ecosystem S ervices Ecosystems provide services through their natural processes that we all benefit from daily: Fresh water

312 views • 20 slides
Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018 Applied Networking Research Workshop (ANRW)

303 views • 11 slides
NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No.

NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No.

NEO PA/VA system EN 54 -16 Certificate No. 2426-CPR-105 PA/VA System EN 54 -16 Certificate No. 2426-CPR-105 NEO is an innovative Public Address and Voice Alarm system that allows an easy audio installation with just one piece of equipment.

326 views • 7 slides
1 4/3/2015 AMEs In Your Area If You Decide to Renew Your Medical So Whats This Light Sport

1 4/3/2015 AMEs In Your Area If You Decide to Renew Your Medical So Whats This Light Sport

4/3/2015 New Plastic Pilot Certificate So, Where Do I Start? What we will cover today Your old paper certificate is no longer valid. What it takes to be PIC again Google Search: Replacement of Airmen Certificate What has

485 views • 35 slides
Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety

Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety

Certificate of Recognition Certificate of Recognition - Defined COR is a health and safety certification program National standard supported by the Canadian Federation of Construction Safety Association (CFCSA) Aimed at driving

320 views • 10 slides
PROOF as a Service on the Cloud a Virtual Analysis Facility based on the CernVM ecosystem Dario

PROOF as a Service on the Cloud a Virtual Analysis Facility based on the CernVM ecosystem Dario

PROOF as a Service on the Cloud a Virtual Analysis Facility based on the CernVM ecosystem Dario Berzano R.Meusel, G.Lestaris, I.Charalampidis, G.Ganis, P .Buncic, J.Blomer CERN PH-SFT CHEP2013 - Amsterdam, 15.10.2013 A cloud-aware analysis

581 views • 20 slides
Developing Fast, Mechanically-Verified Cryptographic Code Bryan Parno Carnegie Mellon University

Developing Fast, Mechanically-Verified Cryptographic Code Bryan Parno Carnegie Mellon University

Developing Fast, Mechanically-Verified Cryptographic Code Bryan Parno Carnegie Mellon University 1 The HTTPS Ecosystem is critical Services & Applications Edge cURL Skype Apache Nginx WebKit IIS Clients Servers HTTPS Ecosystem

1.17k views • 82 slides
Ecosystem goods and services 101 The EGS review and comparative analysis method

Ecosystem goods and services 101 The EGS review and comparative analysis method

Introductory comments re the context of the workshop Ecosystem goods and services 101 The EGS review and comparative analysis method Identification of the EGS related to community livelihoods / societal resilience EGS review and

524 views • 21 slides
Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of

Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of

Certificate of Public Advantage Presentation to the House Select Committee on the Certificate of Need Process and Related Hospital Issues Research Division Staff, September 14, 2011 What is a COPA? An agreement among two or more hospitals

201 views • 19 slides
Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined

Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined

Certificate of Recognition Update February 19, 2016 1 Certificate of Recognition- Defined COR is a workplace health and safety certification program All Legislative elements require 100% achievement National standard supported by

374 views • 9 slides
Certificate o Certi icate of Presentation Presentation This certificate is issued to Hong Guo,

Certificate o Certi icate of Presentation Presentation This certificate is issued to Hong Guo,

The 18 th International Conference on Electronic Business December 2-6, 2018, Guilin, China CERTIFICATE Certificate o Certi icate of Presentation Presentation This certificate is issued to Hong Guo, Anhui University, China Hong Guo, Anhui

1.04k views • 102 slides
DSHS Grand Rounds 1 Registration for free continuing education (CE) hours or certificate of

DSHS Grand Rounds 1 Registration for free continuing education (CE) hours or certificate of

DSHS Grand Rounds 1 Registration for free continuing education (CE) hours or certificate of attendance through TRAIN at: https://tx.train.org Streamlined registration for individuals not requesting CE hours or a certificate of attendance 1.

1.28k views • 111 slides

More recommend