2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements

Internet users today depend daily on HTTPS for secure communication with sites they intend to visit. Over the years, many attacks on HTTPS and the certificate trust model it uses have been hypothesized, executed, and/or evolved. Meanwhile the number of browser-trusted (and thus, de facto, user-trusted) certificate authorities has proliferated, while the due diligence in baseline certificate issuance has declined. We survey and categorize prominent security issues with HTTPS and provide a systematic treatment of the history and on-going challenges, intending to provide context for future directions. We also provide a comparative evaluation of current proposals for enhancing the certificate infrastructure used in practice.

[1]  Eric Rescorla,et al.  Transport Layer Security (TLS) Renegotiation Indication Extension , 2010, RFC.

[2]  Ahmad-Reza Sadeghi,et al.  Provably secure browser-based user-aware mutual authentication over TLS , 2008, ASIACCS '08.

[3]  A. Porter Phishing on Mobile Devices , 2011 .

[4]  Donald E. Eastlake,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011, RFC.

[5]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[6]  Lawrence C. Paulson,et al.  Inductive analysis of the Internet protocol TLS , 1999, TSEC.

[7]  Robin Sommer,et al.  Revisiting SSL : A Large-Scale Study of the Internet ' s Most Trusted Protocol , 2012 .

[8]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[9]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[10]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[11]  Eric Rescorla,et al.  Deploying a New Hash Algorithm , 2006, NDSS.

[12]  Eric Rescorla,et al.  SSL and TLS: Designing and Building Secure Systems , 2000 .

[13]  Desney S. Tan,et al.  An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks , 2007, Financial Cryptography.

[14]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[15]  Elaine B. Barker,et al.  SP 800-131A. Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths , 2011 .

[16]  Robert Biddle,et al.  Exploring User Reactions to New Browser Cues for Extended Validation Certificates , 2008, ESORICS.

[17]  Sid Stamm,et al.  Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper) , 2011, Financial Cryptography.

[18]  Patrick Traynor,et al.  Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road? , 2012, ISC.

[19]  Ahmad-Reza Sadeghi,et al.  Universally Composable Security Analysis of TLS , 2008, ProvSec.

[20]  Onur Aciiçmez,et al.  Improving Brumley and Boneh timing attack on unprotected SSL implementations , 2005, CCS '05.

[21]  Gregory V. Bard,et al.  A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL , 2006, SECRYPT.

[22]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[23]  Douglas Stebila,et al.  Reinforcing bad behaviour: the misuse of security indicators on popular websites , 2010, OZCHI '10.

[24]  C. Jackson Beware of Finer-Grained Origins , 2008 .

[25]  Vitaly Shmatikov,et al.  Finite-State Analysis of SSL 3.0 , 1998, USENIX Security Symposium.

[26]  OppligerRolf,et al.  SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle , 2006 .

[27]  Kirstie Hawkey,et al.  On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings , 2011, SOUPS.

[28]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[29]  Helen Nissenbaum,et al.  Users' conceptions of web security: a comparative study , 2002, CHI Extended Abstracts.

[30]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[31]  Margot Brereton,et al.  Ceremony Analysis: Strengths and Weaknesses , 2011, SEC.

[32]  Kori Inkpen Quinn,et al.  Gathering evidence: use of visual security cues in web browsers , 2005, Graphics Interface.

[33]  Paul E. Hoffman,et al.  The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.

[34]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[35]  Dan S. Wallach,et al.  Web Spoofing: An Internet Con Game , 1997 .

[36]  Michael Myers Revocation: Options and Challenges , 1998, Financial Cryptography.

[37]  Frederik Vercauteren,et al.  A cross-protocol attack on the TLS protocol , 2012, CCS.

[38]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[39]  Stuart E. Schechter,et al.  Web Sites Should Not Need to Rely On Users to Secure Communications , 2006 .

[40]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[41]  David Ahmad Two Years of Broken Crypto: Debian's Dress Rehearsal for a Global PKI Compromise , 2008, IEEE Security & Privacy.

[42]  Erich M. Nahum,et al.  Cryptographic strength of ssl/tls servers: current and recent practices , 2007, IMC '07.

[43]  David Naccache,et al.  Cut-&-Paste Attacks with JAVA , 2002, ICISC.

[44]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[45]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[46]  Jakob Jonsson,et al.  On the Security of RSA Encryption in TLS , 2002, CRYPTO.

[47]  Eric Rescorla Stone Knives and Bear Skins: Why Does the Internet Run on Pre-historic Cryptography? , 2011, INDOCRYPT.

[48]  John C. Mitchell,et al.  A modular correctness proof of IEEE 802.11i and TLS , 2005, CCS '05.

[49]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[50]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.

[51]  Len Sassaman,et al.  PKI Layer Cake: New Collision Attacks against the Global X.509 Infrastructure , 2010, Financial Cryptography.

[52]  Adrian Perrig,et al.  Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing , 2008, USENIX Annual Technical Conference.

[53]  Dongwan Shin,et al.  An empirical study of visual security cues to prevent the SSLstripping attack , 2011, ACSAC '11.

[54]  A. Ornaghi,et al.  Man in the middle attacks Demos , 2003 .

[55]  David A. Wagner,et al.  Conditioned-safe ceremonies and a user study of an application to web authentication , 2009, NDSS.

[56]  Rolf Oppliger,et al.  SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle , 2006, Comput. Commun..

[57]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[58]  Yvo Desmedt Man-in-the-Middle Attack , 2005, Encyclopedia of Cryptography and Security.

[59]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[60]  C. Jackson,et al.  Towards Short-Lived Certificates , 2012 .

[61]  Jörg Schwenk,et al.  Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures , 2005, ISPEC.

[62]  Alexander Sotirov,et al.  Sub-Prime PKI: Attacking Extended Validation SSL , 2009 .

[63]  Rolf Oppliger,et al.  SSL/TLS Session-Aware User Authentication , 2008, Computer.

[64]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[65]  Gregory V. Bard,et al.  The Vulnerability of SSL to Chosen Plaintext Attack , 2004, IACR Cryptol. ePrint Arch..

[66]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[67]  Elaine B. Barker,et al.  Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths , 2011 .

[68]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[69]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[70]  Angelos D. Keromytis,et al.  DoubleCheck: Multi-path verification against man-in-the-middle attacks , 2009, 2009 IEEE Symposium on Computers and Communications.

[71]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[72]  Barbara Fox,et al.  Certificate Recocation: Mechanics and Meaning , 1998, Financial Cryptography.

[73]  Sid Stamm,et al.  Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL , 2010 .

[74]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[75]  Julien Freudiger,et al.  The Inconvenient Truth about Web Certificates , 2011, WEIS.

[76]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[77]  Adam Langley Beyond the Basics of HTTPS Serving , 2011, login Usenix Mag..

[78]  Ronald L. Rivest,et al.  Can We Eliminate Certificate Revocations Lists? , 1998, Financial Cryptography.

[79]  Jeff Jarmoc,et al.  SSL/TLS Interception Proxies and Transitive Trust , 2012 .

[80]  Douglas Stebila,et al.  On the security of TLS renegotiation , 2013, IACR Cryptol. ePrint Arch..

[81]  Patrick Traynor,et al.  Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties , 2012, ESORICS.

[82]  Steve Hanna,et al.  Building Certifications Paths: Forward vs. Reverse , 2001, NDSS.

[83]  Arjen K. Lenstra,et al.  Public Keys , 2012, CRYPTO.

[84]  Dan S. Wallach,et al.  Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web , 2012, USENIX Security Symposium.

[85]  Phillip M. Hallam-Baker,et al.  DNS Certification Authority Authorization (CAA) Resource Record , 2019, RFC.

[86]  Bogdan Warinschi,et al.  A Modular Security Analysis of the TLS Handshake Protocol , 2008, ASIACRYPT.

[87]  Ian Goldberg,et al.  Randomness and the Netscape browser , 1996 .

[88]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[89]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[90]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[91]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[92]  John Kelsey Compression and Information Leakage of Plaintext , 2002, FSE.

[93]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[94]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[95]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[96]  Carl M. Ellison,et al.  Ceremony Design and Analysis , 2007, IACR Cryptol. ePrint Arch..

[97]  Vitaly Shmatikov,et al.  The Hitchhiker's Guide to DNS Cache Poisoning , 2010, SecureComm.