On the Validation of Web X.509 Certificates by TLS Interception Products

The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data. It is based on X.509 Certificates. Our previous research showed that popular Web Browsers exhibit non-standardized behaviour with respect to the certificate validation process [1]. This paper extends that work by examining their handling of OCSP Stapling. We also examine several popular HTTPS interception products, including proxies and anti-virus tools, regarding their certificate validation processes. We analyse and compare their behaviour to that described in the relative standards. Finally, we propose a system that allows the automation of certificate validation tests.

[1]  Laborde Romain,et al.  A formal model of trust for calculating the quality of X.509 certificate , 2011 .

[2]  Audun Jøsang,et al.  PKI Seeks a Trusting Relationship , 2000, ACISP.

[3]  Vitaly Shmatikov,et al.  Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations , 2014, 2014 IEEE Symposium on Security and Privacy.

[4]  Nancy Cam-Winget,et al.  TLS 1.3 Impact on Network-Based Security , 2019 .

[5]  David W. Chadwick,et al.  Trust Management for Public Key Infrastructures: Implementing the X.509 Trust Broker , 2017, Secur. Commun. Networks.

[6]  Romain Laborde,et al.  A formal model of trust for calculating the quality of X.509 certificate , 2011, Secur. Commun. Networks.

[7]  Adrienne Porter Felt,et al.  Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[8]  Mohammad Mannan,et al.  Killed by Proxy: Analyzing Client-end TLS Interce , 2016, NDSS.

[9]  David W. Chadwick,et al.  Which Web Browsers Process SSL Certificates in a Standardized Way? , 2009, SEC.

[10]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[11]  David W. Chadwick,et al.  TLS Connection Validation by Web Browsers: Why do Web Browsers Still Not Agree? , 2017, 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC).

[12]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.