Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information and Communications Security

ICICS 2021: Information and Communications Security pp 384–401Cite as

Exploring the Security Issues of Trusted CA Certificate Management

  • Conference paper
  • First Online:

  • 1722 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12918))

Abstract

Public Key Infrastructure (PKI) is widely used in security protocols, and the root certification authority (CA) plays a role as the trust anchor of PKI. However, as researches show, not all root CAs are trustworthy and malicious CAs might issue fraudulent certificates, which can cause Man-in-the-Middle attacks and eavesdropping attacks. Besides, massive CAs and CA certificates make it hard for users to manage the CA certificates by themselves. Though PKI applications generally provide the implementation of trusted CA certificate management (called CA manager in this paper) to store, manage, and verify CA certificates, security incidents still exist, and a malicious CA certificate can damage the entire security. This work explores the security issues of CA managers for three popular operating systems and eight applications installed on them. We make a systematic analysis of the CA managers, such as the modification of the certificate trust list, the source of trust, and the security check of the CA certificates, and propose the functionalities that a CA manager should have. Our work shows that all CA managers we analyzed have security issues, e.g., silent addition of CA certificates, inefficient validation on CA certificates, which will result in insecure CA certificates being falsely trusted. We also make some suggestions on the security enhancement for CA managers.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Alsaid, A., Mitchell, C.J.: Installing fake root keys in a PC. In: Chadwick, D., Zhao, G. (eds.) EuroPKI 2005. LNCS, vol. 3545, pp. 227–239. Springer, Heidelberg (2005). https://doi.org/10.1007/11533733_16

    Chapter  Google Scholar 

  2. Sloppy Security Software Exposes Dell Laptop to Hackers — Laptop Mag. https://www.laptopmag.com/articles/dell-certificate-security-flaw

  3. Superfish - Wikipedia. https://en.wikipedia.org/wiki/Superfish

  4. Braun, J., Volk, F., Classen, J., Buchmann, J., Mühlhäuser, M.: CA trust management for the web PKI. J. Comput. Secur. 22(6), 913–959 (2014)

    Article  Google Scholar 

  5. de Carnavalet, X.D.C., Mannan, M.: Killed by proxy: analyzing client-end tls interception software. In: Network and Distributed System Security Symposium (2016)

    Google Scholar 

  6. Chung, T., et al.: Measuring and applying invalid ssl certificates: the silent majority. In: IMC (2016)

    Google Scholar 

  7. Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A.: Analysis of the https certificate ecosystem. In: IMC (2013)

    Google Scholar 

  8. Durumeric, Z., et al.: The security impact of https interception. In: NDSS (2017)

    Google Scholar 

  9. Krombholz, K., Mayer, W., Schmiedecker, M., Weippl, E.: " I have no idea what i’m doing”-on the usability of deploying \(\{\)HTTPS\(\}\). In: 26th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 17) (2017)

    Google Scholar 

  10. Li, B., et al.: Certificate transparency in the wild: exploring the reliability of monitors. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (2019)

    Google Scholar 

  11. Li, B., Lin, J., Wang, Q., Wang, Z., Jing, J.: Locally-centralized certificate validation and its application in desktop virtualization systems. IEEE Trans. Inf. Forensics Secur. 16, 1380–1395 (2020)

    Article  Google Scholar 

  12. Li, B., Wang, W., Meng, L., Lin, J., Liu, X., Wang, C.: Elaphurus: ensemble defense against fraudulent certificates in TLS. In: Liu, Z., Yung, M. (eds.) Inscrypt 2019. LNCS, vol. 12020, pp. 246–259. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42921-8_14

    Chapter  Google Scholar 

  13. Perl, H., Fahl, S., Smith, M.: You won’t be needing these any more: on removing unused certificates from trust stores. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 307–315. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_20

    Chapter  Google Scholar 

  14. Adobe Approved Trust List members. https://helpx.adobe.com/acrobat/kb/approved-trust-list1.html, Accessed 30 Apr 2021

  15. Top 1 Million Analysis - March 2020. https://scotthelme.co.uk/top-1-million-analysis-march-2020/

  16. Apple Root Certificate Program. https://www.apple.com/certificateauthority/ca_program.html

  17. List of available trusted root certificates in macOS High Sierra. https://support.apple.com/en-us/HT208127, Accessed 11 May 2021

  18. About System Integrity Protection on your Mac. https://support.apple.com/en-us/HT204899

  19. Certificate Contents for Baseline SSL - CAB Forum. https://cabforum.org/baseline-requirements-certificate-contents/

  20. CA/Browser Forum - CAB Forum. https://cabforum.org/

  21. Censys. https://censys.io/certificates?q=, Accessed 30 Apr 2021

  22. ETSI - Welcome to the World of Standards!. https://www.etsi.org/

  23. European Union Trusted Lists. https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html, Accessed 30 Apr 2021

  24. MICROSOFT Included CA Certificate List. https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT, Accessed 30 Apr 2021

  25. Program Requirements - Microsoft Trusted Root Program. https://docs.microsoft.com/en-us/security/trusted-root/program-requirements

  26. MOZILLA Included CA Certificate List. https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport, Accessed 30 Apr 2021

  27. Mozilla Root Store Policy-Mozilla. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/, Accessed 1 May 2021

  28. Why Does Mozilla Maintain Our Own Root Certificate Store? - Mozilla Security Blog. https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/

  29. StatCounter Global Stats - Browser, OS, Search Engine including Mobile Usage Share. https://gs.statcounter.com/, Accessed 30 Apr 2021

  30. Principles and criteria and practitioner guidance. https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria

  31. Root CA Certificate: When you shouldn’t trust a trusted root certificate — Malwarebytes Labs. https://blog.malwarebytes.com/security-world/technology/2017/11/when-you-shouldnt-trust-a-trusted-root-certificate/

  32. Vallina-Rodriguez, N., Amann, J., Kreibich, C., Weaver, N., Paxson, V.: A tangled mass: the android root certificate stores. In: Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies (2014)

    Google Scholar 

Download references

Acknowledgment

We thank all the reviewers and our shepherd for their helpful feedback and advice. This work was partially supported by the National Cyber Security Key Research and Development Program of China (No. 2018YFB0804600).

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Institute of Information Engineering, CAS, Beijing, 100089, China

    Yanduo Fu, Qiongxiao Wang, Aozhuo Sun & Linli Lu

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, 100089, China

    Yanduo Fu, Qiongxiao Wang & Aozhuo Sun

  3. Data Assurance and Communication Security Research Center, CAS, Beijing, China

    Yanduo Fu & Linli Lu

  4. School of Cyber Security, University of Science and Technology of China, Hefei, 230027, Anhui, China

    Jingqiang Lin

  5. Beijing Institute, University of Science and Technology of China, Beijing, China

    Jingqiang Lin

Authors
  1. Yanduo Fu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qiongxiao Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jingqiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aozhuo Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Linli Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qiongxiao Wang .

Editor information

Editors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Debin Gao

  2. Tsinghua University, Beijing, China

    Qi Li

  3. Xi'an Jiaotong University, Xi'an, China

    Xiaohong Guan

  4. Chongqing University, Chongqing, China

    Xiaofeng Liao

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fu, Y., Wang, Q., Lin, J., Sun, A., Lu, L. (2021). Exploring the Security Issues of Trusted CA Certificate Management. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12918. Springer, Cham. https://doi.org/10.1007/978-3-030-86890-1_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-86890-1_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-86889-5

  • Online ISBN: 978-3-030-86890-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation