mission accomplished https security after diginotar
play

Mission Accomplished? HTTPS Security after DigiNotar Johanna Amann* - PowerPoint PPT Presentation

Feb 20, 2023 •237 likes •631 views

Mission Accomplished? HTTPS Security after DigiNotar Johanna Amann* ICSI / LBL / Corelight Oliver Gasser* Technical University of Munich Quirin Scheitle* Technical University of Munich Lexi Brent The University of Sydney Georg Carle

  1. Mission Accomplished? HTTPS Security after DigiNotar Johanna Amann* ICSI / LBL / Corelight Oliver Gasser* Technical University of Munich Quirin Scheitle* Technical University of Munich Lexi Brent The University of Sydney Georg Carle Technical University of Munich Ralph Holz The University of Sydney * Joint First Authorship

  2. TLS/HTTPS Security Extensions • Certificate Transparency • HSTS (HTTP Strict Transport Security) • HPKP (HTTP Public Key Pinning) • SCSV (TLS Fallback Signaling Cipher Suite Value) • CAA (Certificate Authority Authorization) • DANE-TLSA (DNS Based Authentication of Named Entities)

  3. Methodology • Active & passive scans • Shared pipeline where possible • Active measurements from 2 continents • Largest Domain-based TLS scan so far • More than 192 Million domains • Passive measurements on 3 continents • More than 2.4 Billion observed TLS connections

  4. Certificate Transparency CA Issues Certificates Provides publicly auditable, append-only Log of certificates CT Log Also provides proof of inclusion Browser Verifies proof of inclusion

  5. Certificate Transparency CT Log CA Webserver Browser

  6. Certificate Transparency CT Log CA Certificate Webserver Browser

  7. Certificate Transparency CT Log CA Certificate Certificate Webserver Browser

  8. Certificate Transparency CT Log CA Certificate Certificate SCT Webserver Browser

  9. Certificate Transparency CT Log CA Certificate Certificate SCT Webserver Browser Certificate, SCT in TLS Ext.

  10. Certificate Transparency CT Log CA Webserver Browser

  11. Certificate Transparency Precertificate CT Log CA Webserver Browser

  12. Certificate Transparency Precertificate CT Log CA SCT Webserver Browser

  13. Certificate Transparency Precertificate CT Log CA SCT Certificate (with 
 Precertificate SCT) Webserver Browser

  14. Certificate Transparency Precertificate CT Log CA SCT Certificate (with 
 Precertificate SCT) Webserver Browser Certificate. Transform, Validate

  15. Certificate Transparency CT Log CA Webserver Browser

  16. Certificate Transparency CT Log CA Certificate Webserver Browser

  17. Certificate Transparency Certificate CT Log CA Certificate Webserver Browser

  18. Certificate Transparency Certificate CT Log CA SCT Certificate Webserver Browser

  19. Certificate Transparency Certificate CT Log CA SCT Certificate OCSP, SCT in OCSP Reply Webserver Browser

  20. Certificate Transparency Certificate CT Log CA SCT Certificate OCSP, SCT in OCSP Reply Webserver Browser Certificate 
 SCT in Stapled OCSP Reply

  21. SCT Statistics - Active Sydney v4 Munich v4 Munich v6 Domains we could connect to 55.7M 58.0M 5.1M Domains with SCT 6.8M 6.8M 357K … via X509 6.7M 6.8M 344K … via TLS Ext. 27.6K 27.2K 12.9K … via OCSP 180 188 3 Certificates (Total) 10.62M 9.66M 549.98K Certificates with SCT Ext. 799.9K 834.5K 193.9K

  22. SCT Statistics - Passive California Munich Sydney Time 4/4-5/2 5/12-5/16 5/12-5/16 Conns 2.6B 287M 196M Conns with SCT 779M 73M 58M … in Cert 520M 58M 44M … in TLS 248M 14M 14M … in OCSP 156K 38K 31K # v4 IPs 737K 344K 226K # SCT v4 IPs 222K 102K 66K

  27. 105 Certificates, 91 Let’s Encrypt

  30. Log Operators Active Passive Symantec log (81.26%) Symantec log (62.78%) Google ’Pilot’ log (79.9%) Google ’Rocketeer’ log (58.6%) Google ’Rocketeer’ log (31.72%) Google ’Pilot’ log (58.48%) DigiCert Log Server (26.96%) Google ’Icarus’ log (14.37%) Google ’Aviator’ log (25.67%) Google ’Aviator’ log (9.39%) Google ’Skydiver’ log (8.32%) Vena log (7.47%) Symantec VEGA log (3.98%) WoSign ctlog (4.64%) StartCom CT log (1.49%) DigiCert Log Server (4.07%) WoSign ctlog (0.67%) Google ’Skydiver’ log (1.7%)

  31. Log Operators

  34. HSTS, HPKP • HSTS: ~3.5% of domains • 0.2% send incorrect headers (misspellings, wrong attributes, …) • HPKP: ~0.02% of domains (6,181) • 41 invalid

  35. SCSV Automatically deployed when servers/libraries update > 96% deployment

  36. Deployment

  38. Community Contributions • PCAPs of active scans • Active scan results, CT database dumps • Analysis Scripts (primarily Jupyter notebooks) • Datasets: https://mediatum.ub.tum.de/1377982 • Software: • goscanner (HTTPS scanner): https://github.com/tumi8/goscanner • extended Bro TLS support (in master): https://bro.org

  39. Summary • Deployment status correlates with: • Configuration effort • Risk • Default deployment / settings work best • Measurements from several sites have very similar results • One measurement location probably good enough in most cases

Recommend

MISSION ACCOMPLISHED THIS MISSION CANNOT: 1. BE FINISHED. Vs. 8 Owe nothing to anyone

MISSION ACCOMPLISHED THIS MISSION CANNOT: 1. BE FINISHED. Vs. 8 Owe nothing to anyone

MISSION ACCOMPLISHED THIS MISSION CANNOT: 1. BE FINISHED. Vs. 8 Owe nothing to anyone except to love one another; for he who loves his neighbor has fulfilled the law. But if there are any poor Israelites in your towns when you

390 views • 14 slides
Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event

Lightweight Cryptography Mission Accomplished? Peter Rombouts ECRYPT II Closing Event Cryptography for 2020 Tenerife January 23 rd , 2013 Organization Lightweight Cryptography: Mission Accomplished? Introduction Technical perspective

478 views • 20 slides
Chronological Bible Overview Session Four - The mission accomplished (NT - Jesus, the Spirit

Chronological Bible Overview Session Four - The mission accomplished (NT - Jesus, the Spirit

Track 1: Understanding and explaining the Mission of God Chronological Bible Overview Session Four - The mission accomplished (NT - Jesus, the Spirit & the New CreaAon) Three final stages: Three key events / comings The Present Kingdom

541 views • 25 slides
Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University

Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University

Boring crypto Some recent TLS failures Daniel J. Bernstein Diginotar CA compromise. University of Illinois at Chicago & BEAST CBC attack. Technische Universiteit Eindhoven Trustwave HTTPS interception. CRIME compression attack. Lucky 13

1.3k views • 128 slides
Mission Accomplished? Socio-economic and race/ethnic diversity within the BSC Overview

Mission Accomplished? Socio-economic and race/ethnic diversity within the BSC Overview

Fall 2012 Catherine N. Barry, MA Mission Accomplished? Socio-economic and race/ethnic diversity within the BSC Overview 1. Purpose of research, summary of key findings, and introduction to data 2. BSC general members findings 3.

776 views • 50 slides
Seasonal scale forecasts for water management: What has been accomplished and what still needs

Seasonal scale forecasts for water management: What has been accomplished and what still needs

Seasonal scale forecasts for water management: What has been accomplished and what still needs to be done? Chris Martinez Agricultural and Biological Engineering https://doi.org/10.1016/j.jhydrol.2014.08.043 JFM Streamflow Forecast

127 views • 8 slides
The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST

The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST

The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST Conference Malta - 18 June 2012 Wave 1 Wave 1 Early nineties: Phil Zimmerman releases PGP Photo Phill Zimmerman Pretty Good Privacy Early

649 views • 31 slides
Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

CSS441 Internet Security Web Security TLS/SSL Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

832 views • 32 slides
Incidents of the Week Wikileaks disclosure of unedited cables DigiNotar fake certificates

Incidents of the Week Wikileaks disclosure of unedited cables DigiNotar fake certificates

Incidents of the Week Wikileaks disclosure of unedited cables DigiNotar fake certificates Wikileaks: What Happened Wikileaks disclosed unedited version of leaked cables to The Guardian Encrypted file was hidden in the

584 views • 45 slides
Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International

Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International

CSS322 Transport Security Web Security TLS/SSL Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013

687 views • 32 slides
Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

ITS335 Web Security Browsing Applications Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 its335y15s2l08,

680 views • 35 slides
Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

ITS335 Web Security Browsing Applications Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2 February 2014 its335y13s2l09,

446 views • 31 slides
Crowley ISD RtI Redesign Changing the way we think about our kids OBJECTIVE MISSION

Crowley ISD RtI Redesign Changing the way we think about our kids OBJECTIVE MISSION

4 1 3 2 Crowley ISD RtI Redesign Changing the way we think about our kids OBJECTIVE MISSION ACCOMPLISHED Leave with a common understanding of the following: Four Components of RtI Universal Screening Multi-Tiered Support System

376 views • 18 slides
The Security Clearance and Investigation Process OPMs Mission OPMs Mission is to Recruit,

The Security Clearance and Investigation Process OPMs Mission OPMs Mission is to Recruit,

The Security Clearance and Investigation Process OPMs Mission OPMs Mission is to Recruit, Retain and Honor , a World-Class Workforce to Serve the American People OPMs Federal Investigative Services (FIS) is responsible for providing

523 views • 25 slides
Our Mission https://m.yo utube.com/ watch?v=tS c8WROtNfc Statement By: Joseph DiBartolo

Our Mission https://m.yo utube.com/ watch?v=tS c8WROtNfc Statement By: Joseph DiBartolo

Our Mission https://m.yo utube.com/ watch?v=tS c8WROtNfc Statement By: Joseph DiBartolo Rachel Sy , and Beatrice Armand Our Mission Our Lady of Mercy Catholic Academy is Statement committed to academic

277 views • 8 slides
DET Mission UI Mission To provide services enabling employers and job seekers to make To assist

DET Mission UI Mission To provide services enabling employers and job seekers to make To assist

Appendix N https://Joblink.Delaware.Gov https://Joblink.Delaware.Gov Delaware Department of Labor Workshop Objectives What are the Services? Division of Employment and Training And What are the Benefits? Division of Unemployment

82 views • 5 slides
Mission Critical Security for your Mission Critical Applications Bringing NonS top to the

Mission Critical Security for your Mission Critical Applications Bringing NonS top to the

Mission Critical Security for your Mission Critical Applications Bringing NonS top to the Enterprise and the Enterprise to NonS top About XYPRO 29 years serving the HP NonS top community S pecialists in Mission

448 views • 19 slides
cert.govt.nz security week slides https://www.cert.govt.nz/ PART 2 Matts Security Tips and

cert.govt.nz security week slides https://www.cert.govt.nz/ PART 2 Matts Security Tips and

Before we get started cert.govt.nz security week slides https://www.cert.govt.nz/ PART 2 Matts Security Tips and Tricks Hackers What do they want? Your Financial or Personal Info Hack your bank accounts, transfer money Sell

868 views • 39 slides
HACKING THE POWER GRID: WHY WE SHOULD ALL BE CONCERNED ABOUT IOT SECURITY Presented by Computer

HACKING THE POWER GRID: WHY WE SHOULD ALL BE CONCERNED ABOUT IOT SECURITY Presented by Computer

HACKING THE POWER GRID: WHY WE SHOULD ALL BE CONCERNED ABOUT IOT SECURITY Presented by Computer Forensics & Cyber Security Expert: Lee Neubecker, CISSP https://greatlakesforensics.com My Blog: https://leeneubecker.com About Lee

427 views • 32 slides
Mission Objective: Compromise Nuclear Facility Using Virtual Reality to Improve Cyber Security and

Mission Objective: Compromise Nuclear Facility Using Virtual Reality to Improve Cyber Security and

Mission Objective: Compromise Nuclear Facility Using Virtual Reality to Improve Cyber Security and Physical Protection of Nuclear Material and Nuclear Facilities 1. Mission Briefing 10. Mission Recap High sense of realism Browse thru this

506 views • 11 slides
Privacy and Security Ryan Dunn, PSO Vision and Mission Vision Propel inspiration. Secure the

Privacy and Security Ryan Dunn, PSO Vision and Mission Vision Propel inspiration. Secure the

Privacy and Security Ryan Dunn, PSO Vision and Mission Vision Propel inspiration. Secure the business. Protect the consumer. Business Objectives Risk and Opportunity Management Mission Policy and Standards Technical The mission of the

666 views • 8 slides
Interdomain Routing Two types of Routing Intradomain routing Security Accomplished via

Interdomain Routing Two types of Routing Intradomain routing Security Accomplished via

254 views • 10 slides
Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9

The Caliber of Your Choice Energy as a National Security Challenge Environmental Entrepreneurs Mission Critical 9 November 2011 Dan Nolan - Sabot 6, Inc. An Energy Security Company 1800 Diagonal Ave Ste 600 - Alexandria, VA 22314

692 views • 51 slides
Security analysis of smart contracts in Datalog https://securify.ch Dr. Petar Tsankov Senior

Security analysis of smart contracts in Datalog https://securify.ch Dr. Petar Tsankov Senior

Security analysis of smart contracts in Datalog https://securify.ch Dr. Petar Tsankov Senior researcher, SRI lab, ETH Zurich Co-founder and Chief Scientist, ChainSecurity Inter-disciplinary research at Next-generation blockchain security ETH

1.22k views • 32 slides

More recommend