Advertisement

In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements

  • Oliver Gasser
  • Benjamin Hof
  • Max Helm
  • Maciej Korczynski
  • Ralph Holz
  • Georg Carle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10771)

Abstract

In recent years, multiple security incidents involving Certificate Authority (CA) misconduct demonstrated the need for strengthened certificate issuance processes. Certificate Transparency (CT) logs make the issuance publicly traceable and auditable.

In this paper, we leverage the information in CT logs to analyze if certificates adhere to the industry’s Baseline Requirements. We find 907  k certificates in violation of Baseline Requirements, which we pinpoint to issuing CAs. Using data from active measurements we compare certificate deployment to logged certificates, identify non-HTTPS certificates in logs, evaluate CT-specific HTTP headers, and augment IP address hitlists using data from CT logs. Moreover, we conduct passive and active measurements to carry out a first analysis of CT’s gossiping and pollination approaches, finding low deployment. We encourage the reproducibility of network measurement research by publishing data from active scans, measurement programs, and analysis tools.

Keywords

TLS Certificate Transparency Baseline Requirements 

Notes

Acknowledgments

We thank Emily Stark from Google for the valuable insights into Chrome’s current state of CT over DNS. The authors thank the contributors of data to Farsight Security’s DNSDB. We thank the anonymous reviewers and our shepherd Steve Uhlig for their valuable feedback. This work was partially funded by the German Federal Ministry of Education and Research under project X-Check, grant 16KIS0530, and project DecADe, grant 16KIS0538.

References

  1. 1.
    Acer, M.E. et al.: Where the wild warnings are: root causes of Chrome HTTPS certificate errors. In: CCS 2017Google Scholar
  2. 2.
  3. 3.
    Aertsen, M. et al.: No domain left behind: is Let’s Encrypt democratizing encryption? In: ANRW 2017Google Scholar
  4. 4.
    Amann, J. et al.: Mission accomplished? HTTPS security after DigiNotar. In: IMC 2017Google Scholar
  5. 5.
    CA/Browser Forum: Baseline requirements for the issuance and management of publicly-trusted certificates. Version 1.5.0., 1 September 2017Google Scholar
  6. 6.
    Chen, Y. et al.: DNS noise: measuring the pervasiveness of disposable domains in modern DNS traffic. In: DSN 2014Google Scholar
  7. 7.
  8. 8.
    Chung, T. et al.: Measuring and applying invalid SSL certificates: the silent majority. In: IMC 2016Google Scholar
  9. 9.
    Clark, J., van Oorschot, P.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE S&P 2013Google Scholar
  10. 10.
    Dittrich, D. et al.: The Menlo report: ethical principles guiding information and communication technology research. US DHS (2012)Google Scholar
  11. 11.
    Durumeric, Z. et al.: Analysis of the HTTPS certificate ecosystem. In: IMC 2013Google Scholar
  12. 12.
    Durumeric, Z. et al.: ZMap: fast Internet-wide scanning and its security applications. In: USENIX Security 2013Google Scholar
  13. 13.
    Ellison, C., Schneier, B.: Ten risks of PKI: what you’re not being told about Public Key Infrastructure. Comput. Secur. J. 16(1), 1–7 (2000)Google Scholar
  14. 14.
    Farsight Security: DNSDB. https://www.dnsdb.info/
  15. 15.
    Felt, A.P. et al.: Measuring HTTPS adoption on the web. In: USENIX Security 2017Google Scholar
  16. 16.
    Fox-IT: Black Tulip. Report of the investigation into the DigiNotar Certificate Authority breach, 8 (2012)Google Scholar
  17. 17.
    Gasser, O. et al.: IPv6 Hitlist collection. https://www.net.in.tum.de/projects/gino/ipv6-hitlist.html
  18. 18.
    Gasser, O. et al.: Scanning the IPv6 Internet: towards a comprehensive Hitlist. In: TMA 2016Google Scholar
  19. 19.
    Gustafsson, J. et al.: A first look at the CT landscape: Certificate Transparency logs in practice. In: PAM 2017Google Scholar
  20. 20.
    Holz, R. et al.: The SSL landscape–a thorough analysis of the X.509 PKI using active and passive measurements. In: IMC 2011Google Scholar
  21. 21.
    Holz, R. et al.: TLS in the wild - an Internet-wide analysis of TLS-based protocols for electronic communication. In: NDSS 2016Google Scholar
  22. 22.
    Laurie, B. et al.: Certificate Transparency RFCs on GitHub (2017). https://github.com/google/certificate-transparency-rfcs
  23. 23.
    Liu, Y. et al.: An end-to-end measurement of certificate revocation in the web PKI. In: IMC 2015Google Scholar
  24. 24.
    Markham, G.: Mailing list: Mozilla dev.sec.policy: PROCERT decisionGoogle Scholar
  25. 25.
    Messeri, E.: Mailing list: IETF trans: privacy analysis of the DNS-based protocol for obtaining inclusion proofGoogle Scholar
  26. 26.
    Mozilla: Mailing List: Mozilla dev.sec.policy: Mozilla’s Plan for Symantec RootsGoogle Scholar
  27. 27.
  28. 28.
    Mozilla OneCRL, October 2017Google Scholar
  29. 29.
    Nordberg, L. et al.: Gossiping in CT. Internet-Draft draft-ietf-trans-gossip-04Google Scholar
  30. 30.
    Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 15(10), 58–64 (2016)CrossRefGoogle Scholar
  31. 31.
    Ristić, I.: SSL/TLS and PKI History. https://www.feistyduck.com/ssl-tls-and-pki-history/
  32. 32.
    Ritter, T.: An experimental “RequireCT” directive for HSTS, February 2015. https://ritter.vg/blog-require_certificate_transparency.html
  33. 33.
    Scheitle, Q. et al.: Towards an ecosystem for reproducible research in computer networking. In: SIGCOMM Reproducibility 2017Google Scholar
  34. 34.
    Sleevi, R.: Certificate Transparency in Chrome - change to enforcement date Google groups, 21 April 2017. https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/sz_3W_xKBNY/6jq2ghJXBAAJ
  35. 35.
    Sleevi, R., Messeri, E.: Certificate Transparency in Chrome: monitoring CT logs consistency, 1 May 2015. https://docs.google.com/document/d/1FP5J5Sfsg0OR9P4YT0q1dM02iavhi8ix1mZlZe_z-ls
  36. 36.
    Stark, E.: Expect-CT extension for HTTP. https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02
  37. 37.
    Symantec: Update on test certificate incident (2016). https://www.symantec.com/page.jsp?id=test-certs-update
  38. 38.
    TUM: cablint on GitHub. https://github.com/tumi8/certlint
  39. 39.
  40. 40.
    TUM: goscanner on GitHub. https://github.com/tumi8/goscanner
  41. 41.
    TUM: ZMapv6 on GitHub. https://github.com/tumi8/zmap
  42. 42.
    VanderSloot, B. et al.: Towards a complete view of the certificate ecosystem. In: IMC 2016Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Oliver Gasser
    • 1
  • Benjamin Hof
    • 1
  • Max Helm
    • 1
  • Maciej Korczynski
    • 2
    • 3
  • Ralph Holz
    • 4
  • Georg Carle
    • 1
  1. 1.Technical University of MunichMunichGermany
  2. 2.Grenoble Alps UniversityGrenobleFrance
  3. 3.Delft University of TechnologyDelftNetherlands
  4. 4.The University of SydneySydneyAustralia

Personalised recommendations