Rusted Anchors: A National Client-Side View of Hidden Root CAs in the Web PKI Ecosystem

HTTPS secures communications in the web and heavily relies on the Web PKI for authentication. In the Web PKI, Certificate Authorities (CAs) are organizations that provide trust and issue digital certificates. Web clients rely on public root stores maintained by operating systems or browsers, with hundreds of audited CAs as trust anchors. However, as reported by security incidents, hidden root CAs beyond the public root programs have been imported into local root stores, which allows adversaries to gain trust from web clients. In this paper, we provide the first client-side, nation-wide view of hidden root CAs in the Web PKI ecosystem. Through cooperation with a leading browser vendor, we analyze certificate chains in web visits, together with their verification statuses, from volunteer users in 5 months. In total, over 1.17 million hidden root certificates are captured and they cause a profound impact from the angle of web clients and traffic. Further, we identify around 5 thousand organizations that hold hidden root certificates, including fake root CAs that impersonate large trusted ones. Finally, we highlight that the implementation of hidden root CAs and certificates is highly flawed, and issues such as weak keys and signature algorithms are prevalent. Our findings uncover that the ecosystem of hidden root CAs is massive and dynamic, and shed light on the landscape of Web PKI security. Finally, we call for immediate efforts from the community to review the integrity of local root stores.

[1]  Nick Sullivan,et al.  The Security Impact of HTTPS Interception , 2017, NDSS.

[2]  Adrienne Porter Felt,et al.  Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors , 2017, CCS.

[3]  Adrienne Porter Felt,et al.  Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[4]  Robin Sommer,et al.  Here's my cert, so trust me, maybe?: understanding TLS errors on the web , 2013, WWW.

[5]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[6]  Kent E. Seamons,et al.  Let's Revoke: Scalable Global Certificate Revocation , 2020, NDSS.

[7]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[8]  Paul Barford,et al.  A Residential Client-side Perspective on SSL Certificates , 2019, 2019 Network Traffic Measurement and Analysis Conference (TMA).

[9]  Deepak Kumar,et al.  Tracking Certificate Misissuance in the Wild , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[10]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[11]  Niklas Carlsson,et al.  Characterizing the Root Landscape of Certificate Transparency Logs , 2020, 2020 IFIP Networking Conference (Networking).

[12]  Amr M. Youssef,et al.  To Intercept or Not to Intercept: Analyzing TLS Interception in Network Appliances , 2018, AsiaCCS.

[13]  Robin Sommer,et al.  No attack necessary: the surprising dynamics of SSL trust relationships , 2013, ACSAC.

[14]  Mohammad Mannan,et al.  Killed by Proxy: Analyzing Client-end TLS Interce , 2016, NDSS.

[15]  Taejoong Chung,et al.  Tunneling for Transparency: A Large-Scale Analysis of End-to-End Violations in the Internet , 2016, Internet Measurement Conference.

[16]  Collin Jackson,et al.  Analyzing Forged SSL Certificates in the Wild , 2014, 2014 IEEE Symposium on Security and Privacy.

[17]  Elaine B. Barker,et al.  Recommendation for Key Management Part 3: Application-Specific Key Management Guidance , 2009 .

[18]  Sudheesh Singanamalla,et al.  Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption , 2020, Internet Measurement Conference.

[19]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[20]  Manos Antonakakis,et al.  What's in a Name? Exploring CA Certificate Control , 2021, USENIX Security Symposium.

[21]  Xavier de Carné de Carnavalet Last-Mile TLS Interception: Analysis and Observation of the Non-Public HTTPS Ecosystem , 2019 .

[22]  Zibin Zheng,et al.  A Directed Acyclic Graph Approach to Online Log Parsing , 2018, ArXiv.

[23]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[24]  K. Kane,et al.  The New Wildcats: High-Risk Banking From Worst-Case Certificate Practices Online , 2016 .

[25]  J. Alex Halderman,et al.  Towards a Complete View of the Certificate Ecosystem , 2016, Internet Measurement Conference.

[26]  Daniel Zappala,et al.  TLS Proxies: Friend or Foe? , 2014, Internet Measurement Conference.

[27]  Paul C. van Oorschot,et al.  A survey and analysis of TLS interception mechanisms and motivations , 2020, ArXiv.

[28]  Zibin Zheng,et al.  Drain: An Online Log Parsing Approach with Fixed Depth Tree , 2017, 2017 IEEE International Conference on Web Services (ICWS).

[29]  Robin Sommer,et al.  Extracting Certificates from Live Traffic : A Near Real Time SSL Notary Service , 2012 .

[30]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[31]  Narseo Vallina-Rodriguez,et al.  A Tangled Mass: The Android Root Certificate Stores , 2014, CoNEXT.

[32]  Bruce M. Maggs,et al.  Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem , 2016, CCS.

[33]  Adrienne Porter Felt,et al.  Measuring HTTPS Adoption on the Web , 2017, USENIX Security Symposium.

[34]  Jörg Schwenk,et al.  SoK: Lessons Learned from SSL/TLS Attacks , 2013, WISA.