an end-to-end measurement of certificate revocation in the ... · an end-to-end measurement of...
TRANSCRIPT
An End-to-End Measurement of Certificate Revocation in the Web’s PKI
Yabing Liu*, Will Tome*, Liang Zhang*, David Choffnes*, Dave Levin†, Bruce Maggs‡, Alan Mislove*, Aaron Schulman§, Christo Wilson*
*Northeastern University †University of Maryland§Stanford University‡Duke University and Akamai Technologies
Public Key Infrastructures (PKIs)
WebsiteBrowser
How can users truly know with whom they are communicating?
2
Public Key Infrastructures (PKIs)
WebsiteBrowser
How can users truly know with whom they are communicating?
2
Public Key Infrastructures (PKIs)
WebsiteBrowser
How can users truly know with whom they are communicating?
2
Public Key Infrastructures (PKIs)
WebsiteBrowser
Certificate Authority
How can users truly know with whom they are communicating?
2
Public Key Infrastructures (PKIs)
WebsiteBrowser
Certificate AuthorityVetting
How can users truly know with whom they are communicating?
2
Public Key Infrastructures (PKIs)
WebsiteBrowser
Certificate
is indeed BoA
The owner of Certificate Authority
How can users truly know with whom they are communicating?
2
Public Key Infrastructures (PKIs)
WebsiteBrowserCertificate
Certificate Authority
Certificate
How can users truly know with whom they are communicating?
2
Certificate revocation
Browser
Certificate Authority
WebsiteCertificate
What happens when a certificate is no longer valid?
3
Certificate revocation
Browser
Certificate Authority
WebsiteCertificate
What happens when a certificate is no longer valid?
AttackerCertificate
3
Certificate revocation
Browser
Certificate Authority
What happens when a certificate is no longer valid?
Attacker
Certificate
3
Certificate revocation
Browser
Certificate Authority
What happens when a certificate is no longer valid?
Attacker
CertificateCertificate
3
Certificate revocation
Browser
Certificate Authority
What happens when a certificate is no longer valid?
Certificate✗
Attacker
CertificateCertificate
Pleaserevoke
Certificate Revocation
3
Certificate revocation
Browser
Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
What happens when a certificate is no longer valid?
Attacker
CertificateCertificate
Pleaserevoke
3
Certificate revocation
Browser
Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
What happens when a certificate is no longer valid?
Attacker
CertificateCertificate
Pleaserevoke
Periodicallypull / query
(CRL) (OCSP)
3
Certificate revocation
BrowserCertificate
Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
What happens when a certificate is no longer valid?
Attacker
CertificateCertificate
Pleaserevoke
Periodicallypull / query
(CRL) (OCSP)
✗✗
3
Certificate revocation responsibilities
4
This talk: Do these entities do what they need to do?
Administrators must revoke certificateswhen keys are compromised
Certificate✗Certificate authorities must publish revocationsas quickly as possible
Browsers must check revocation statuson each connection
Outline
5
Website admin behaviore.g., what is the frequency of revocation?
Certificate✗Certificate authorities behavior
e.g., how CAs serve revocations?
Client behaviore.g., do browsers check revocations?
Dataset
Rapid7IPv4scans
38M certs(~1/wk for 18mos)
6
Dataset
Rapid7IPv4scans
38M certs(~1/wk for 18mos)
Non-CA
38M certs
CA
1,946 certs
classify
6
validate Leaf Set
5M valid certs
Dataset
Rapid7IPv4scans
38M certs(~1/wk for 18mos)
Non-CA
38M certs
CA
1,946 certs
classify
6
validate Leaf Set
5M valid certs
Dataset
Rapid7IPv4scans
38M certs(~1/wk for 18mos)
Non-CA
38M certs
CA
1,946 certs
classify
Download revocation information daily
6
How frequently are certificates revoked?
7
0.0
2.0
4.0
6.0
8.0
10.0
12.0
01/14 03/14 05/14 07/14 09/14 11/14 01/15 03/15
Perc
en
tag
e o
f F
resh
Cert
sth
at
are
Revo
ked
Date
How frequently are certificates revoked?
7
Significant fraction of certificates revoked1% in steady state; more than 8% after Heartbleed
0.0
2.0
4.0
6.0
8.0
10.0
12.0
01/14 03/14 05/14 07/14 09/14 11/14 01/15 03/15
Perc
en
tag
e o
f F
resh
Cert
sth
at
are
Revo
ked
Date
How frequently are certificates revoked?
8
Over 0.5% advertised certificates are revokedWebsite admins failed to update their servers
0.000
0.001
0.002
0.003
0.004
0.005
0.006
01/14 03/14 05/14 07/14 09/14 11/14 01/15 03/15
Fra
cti
on
of
Alive C
ert
sth
at
are
Revo
ked
Date
CRLs, OCSP, and OCSP Stapling
WebsiteBrowserCertificate
Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
Certificate✗ Certificate✗Certificate✗ Certificate✗
CertificateCertificate
9
CRLs, OCSP, and OCSP Stapling
WebsiteBrowserCertificate
Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
Certificate✗ Certificate✗Certificate✗ Certificate✗
CertificateCertificate
9
CRLs, OCSP, and OCSP Stapling
WebsiteBrowserCertificate
Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
Certificate✗ Certificate✗Certificate✗ Certificate✗
CertificateCertificate
9
CRLs, OCSP, and OCSP Stapling
WebsiteBrowserCertificate
Certificate Authority
Certificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
Certificate✗ Certificate✗Certificate✗ Certificate✗
CertificateCertificate
9
Cost of obtaining CRLs
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0.1 1 10 100 1000 10000
CD
F
CRL Size (KB)
10
Cost of obtaining CRLs
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0.1 1 10 100 1000 10000
CD
F
CRL Size (KB)
76MB Apple CRL
10
Cost of obtaining CRLs
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
0.1 1 10 100 1000 10000
CD
F
CRL Size (KB)
RawWeighted
Most CRLs small, but large CRLs downloaded more oftenResult: 50% of certs have CRLs larger than 45KB
76MB Apple CRL
10
CRLs from different CAs
CA Unique CRLs
Certificates Avg. CRLsize (KB)Total Revoked
GoDaddy 322 1,050,014 277,500 1,184.0
RapidSSL 5 626,774 2,153 34.5
Comodo 30 447,506 7,169 517.6
PositiveSSL 3 415,075 8,177 441.3
Verisign 37 311,788 15,438 205.2
CAs use only a small number of CRLs11
CRLs, OCSP, and OCSP Stapling
12
WebsiteBrowser
Certificate Authority
Certificate
CRLs, OCSP, and OCSP Stapling
12
WebsiteBrowser
Certificate Authority
CertificateCertificate
CRLs, OCSP, and OCSP Stapling
12
WebsiteBrowser
Certificate Authority
CertificateCertificate Certificate
CRLs, OCSP, and OCSP Stapling
12
WebsiteBrowser
Certificate Authority
Certificate
Certificate
Certificate
Certific✗Certific /✔Certificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
Certificate✗ Certificate✗Certificate✗ Certificate✗
CRLs, OCSP, and OCSP Stapling
12
WebsiteBrowser
Certificate Authority
Certificate Certificate
Certific✗Certific /✔
Certificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
Certificate✗ Certificate✗Certificate✗ Certificate✗
OCSP prevalence
13
0.65
0.7
0.75
0.8
0.85
0.9
0.95
1
01/11 07/11 01/12 07/12 01/13 07/13 01/14 07/14 01/15
Frac
tion
of N
ew C
ertif
icat
esw
ith R
evoc
atio
n In
form
atio
n
Date Certificate Issued
CRL
OCSP
OCSP prevalence
13
0.65
0.7
0.75
0.8
0.85
0.9
0.95
1
01/11 07/11 01/12 07/12 01/13 07/13 01/14 07/14 01/15
Frac
tion
of N
ew C
ertif
icat
esw
ith R
evoc
atio
n In
form
atio
n
Date Certificate Issued
CRL
OCSP
RapidSSL begins
supporting OCSP
OCSP now universally supported
CRLs, OCSP, and OCSP Stapling
14
WebsiteBrowser
Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
Certificate✗ Certificate✗Certificate✗ Certificate✗
CRLs, OCSP, and OCSP Stapling
14
WebsiteBrowser
Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
Certificate✗ Certificate✗Certificate✗ Certificate✗
Certificate
CRLs, OCSP, and OCSP Stapling
14
WebsiteBrowser
Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
Certificate✗ Certificate✗Certificate✗ Certificate✗
Certificate
Certific✔
CRLs, OCSP, and OCSP Stapling
14
WebsiteBrowser
Certificate AuthorityCertificate✗ Certificate✗Certificate✗ Certificate✗
Certificate✗Certificate✗
Certificate✗ Certificate✗Certificate✗ Certificate✗
Certificate
Certific✔
Limited OCSP Stapling Support
• IPv4 TLS Handshake scans by University of Michigan on 3/28/15• Every IPv4 server on port 443• Look for OCSP stapling support
• 2.2M valid certificates• 5.19% served by at least one server supports OCSP Stapling• 3.09% served by servers that all support OCSP Stapling
15
Website admins rarely enable OCSP Stapling
Outline
16
Website admin behaviore.g., revocation is common ~8%
Certificate✗Certificate authorities behavior
e.g., high cost in distributing revocation info
Client behaviore.g., do browsers check revocations?
Outline
16
Website admin behaviore.g., revocation is common ~8%
Certificate✗Certificate authorities behavior
e.g., high cost in distributing revocation info
Client behaviore.g., do browsers check revocations?
What’s the concern of browsers?
17
WebsiteBrowser
Certificate
Certificate Authority
What’s the concern of browsers?
17
WebsiteBrowser
Certificate
Certificate Authority
On the web, latency is king
Browsers face tension between security and speedMust contact CA to ensure cert not revoked
Test harness
Goal: Test browser behavior under different combinations of:• Revocation protocols• Availability of revocation information• Chain lengths• EV/non-EV certificates
18
Normal
Extended Validation
Implement 244 tests using fake root certificate + Javascript• Unique DNS name, cert chain, CRL/OCSP responder, …
Do browsers check revocations?
Supports CRLs
Desktop: Mobile:
Supports OCSP
Desktop: Mobile:
Supports OCSP Stapling
Desktop: Mobile:
19
Do browsers check revocations?
Supports CRLs
Desktop: Mobile:
Supports OCSP
Desktop: Mobile:
Supports OCSP Stapling
Desktop: Mobile:
19
✗ ✗ ✗✗~EV
only
Do browsers check revocations?
Supports CRLs
Desktop: Mobile:
Supports OCSP
Desktop: Mobile:
Supports OCSP Stapling
Desktop: Mobile:
19
✗ ✗ ✗✗~EV
only
✗ ✗ ✗~EV
only
Do browsers check revocations?
Supports CRLs
Desktop: Mobile:
Supports OCSP
Desktop: Mobile:
Supports OCSP Stapling
Desktop: Mobile:
19
✗ ✗ ✗✗~EV
only
✗ ✗ ✗~EV
only
✗ ✗ ✗✗
20
Check intermediate
Revocation unavailable
Desktop:
Do browsers check intermediates?
Desktop: Mobile:
Mobile:
20
Check intermediate
Revocation unavailable
Desktop:
Do browsers check intermediates?
Desktop: Mobile:
Mobile:
✗ ✗ ✗EV EV
OCSP
20
Check intermediate
Revocation unavailable
Desktop:
Do browsers check intermediates?
Desktop: Mobile:
Mobile:
✗ ✗ ✗EV EV
OCSP
✗ ✗ ✗✗EV CRL
CRL
20
Check intermediate
Revocation unavailable
Desktop:
Do browsers check intermediates?
Desktop: Mobile:
Mobile:
✗ ✗ ✗EV EV
OCSP
✗ ✗ ✗✗EV CRL
CRL
No browser correctly checks all revocations
Takeaways
Revocations common ~1% in steady state; more than 8% after Heartbleed
Obtaining revocation information can be expensive CRLs large, OCSP Stapling rarely supported
Many browsers don’t bother to check revocationMobile browsers completely lack of revocation checking
21
CRLSet
22
Chrome pushes out list of select revocations, called CRLSet
Chromium developers only state:
The full list [of covered CRLs] isn’t public
CRLs on the list are fetched infrequently
Entries in the CRL are filtered by reason code.
Size limited to 250 KB
1
2
3
4
CRLSet coverage
23
Only 0.35% of all revocations appear in CRLSet
Only 295 (10.5%) CRLs have any revocations covered
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 0.2 0.4 0.6 0.8 1
CD
F
Fraction of CRLs’ Entries in CRLSet
CRLSet Reason Codes
CRLSet coverage
23
Only 0.35% of all revocations appear in CRLSet
Only 295 (10.5%) CRLs have any revocations covered
CRLSet only has a low coverage
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 0.2 0.4 0.6 0.8 1
CD
F
Fraction of CRLs’ Entries in CRLSet
CRLSet Reason Codes
More results in the paper
• Analysis of EV certificate revocation
• Revoked but alive certificates
• Improve CRLSets with Bloom Filters and more …
24
Summary
• An end-to-end measurement of certificate revocation in the web• Covers all parties: website administrators, CAs and browsers
• Key findings• Extensive inaction with respect to certificate revocation• Browsers fails to check certificate revocation• Mobile browsers are lack of revocation checking
• We can improve• CAs can maintain more small CRLs• Website admins can deploy OCSP stapling
25
Summary
• An end-to-end measurement of certificate revocation in the web• Covers all parties: website administrators, CAs and browsers
• Key findings• Extensive inaction with respect to certificate revocation• Browsers fails to check certificate revocation• Mobile browsers are lack of revocation checking
• We can improve• CAs can maintain more small CRLs• Website admins can deploy OCSP stapling
25
Questions?
securepki.org