skip to main content
10.1145/2068816.2068856acmconferencesArticle/Chapter ViewAbstractPublication PagesimcConference Proceedingsconference-collections
research-article

The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements

Published: 02 November 2011 Publication History

Abstract

The SSL and TLS infrastructure used in important protocols like HTTPs and IMAPs is built on an X.509 public-key infrastructure (PKI). X.509 certificates are thus used to authenticate services like online banking, shopping, e-mail, etc. However, it always has been felt that the certification processes of this PKI may lack in stringency, resulting in a deployment where many certificates do not meet the requirements of a secure PKI.
This paper presents a comprehensive analysis of X.509 certificates in the wild. To shed more light on the state of the deployed and actually used X.509 PKI, we obtained and evaluated data from many different sources. We conducted HTTPs scans of a large number of popular HTTPs servers over a 1.5-year time span, including scans from nine locations distributed over the globe. To compare certification properties of highly ranked hosts with the global picture, we included a third-party scan of the entire IPv4 space in our analyses. Furthermore, we monitored live SSL/TLS traffic on a 10Gbps uplink of a large research network. This allows us to compare the properties of the deployed PKI with the part of the PKI that is being actively accessed by users.
Our analysis reveals that the quality of certification lacks in stringency, due to a number of reasons among which incorrect certification chains or invalid certificate subjects give the most cause for concern. Similar concerns can be raised for the properties of certification chains and many self-signed certificates used in the deployed X.509 PKI. Our findings confirm what has long been believed -- namely that the X.509 PKI we often use in our everyday's lives is in a sorry state.

References

[1]
D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk, "Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile," RFC 5280 (Proposed Standard), May 2008.
[2]
T. Dierks and E. Rescorla, "The transport layer security (TLS) protocol version 1.2," RFC 5246 (Proposed Standard), Aug. 2008, updated by RFCs 5746, 5878, 6176.
[3]
J. Appelbaum, "Detecting certificate authority compromises and web browser collusion," Blog entry: https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion, 2011, {online; last retrieved in May 2011}.
[4]
M. S. Blog, "DigiNotar removal follow up," https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/ {online; last retrieved in September 2011}, 2011.
[5]
C. Herley, "So long, and no thanks for the externalities: the rational rejection of security advice by users," in Proc. 2009 Workshop on New security paradigms. New York, NY, USA: ACM, 2009, pp. 133--144.
[6]
C. Ellison and B. Schneier, "Ten risks of PKI: What you're not being told about public key infrastructure," Computer Security Journal, vol. 16, no. 1, pp. 1--7, 2000.
[7]
P. Gutmann, "PKI: It's not dead, just resting," IEEE Computer, vol. 35, no. 8, pp. 41--49, August 2002.
[8]
P. Eckersley and J. Burns, "An observatory for the SSLiverse," Talk at Defcon 18., July 2010, {last retrieved in May 2011}. {Online}. Available: https://www.eff.org/files/DefconSSLiverse.pdf
[9]
P. Eckersley and J. Burns, "Is the SSLiverse a safe place?" Talk at 27C3. Slides from https://www.eff.org/files/ccc2010.pdf {online; last retrieved in May 2011}, 2010.
[10]
I. Ristic, "Internet SSL Survey 2010," Talk at BlackHat 2010. Slides from https://media.blackhat.com/bh-us-10/presentations/Ristic/BlackHat-USA-2010-Ristic-Qualys-SSL-Survey-HTTP-Rating-Guide-slides.pdf, 2010, {online; last retrieved in May 2011}.
[11]
I. Ristic, "State of SSL," Talk at InfoSec World 2011. Slides from http://blog.ivanristic.com/Qualys_SSL_Labs-State_of_SSL_InfoSec_World_April_2011.pdf, 2011, {online; last retrieved in May 2011}.
[12]
Alexa Internet Inc., "Top 1,000,000 sites (updated daily)," http://s3.amazonaws.com/alexa-static/top-1m.csv.zip, 2009--2011, {online; last retrieved in May 2011}.
[13]
H. K. Lee, T. Malkin, and E. Nahum, "Cryptographic strength of SSL/TLS servers: Current and recent practices," in Proc. 7th ACM SIGCOMM Conference on Internet Measurement (IMC 2007), San Diego, CA, USA, October 2007, pp. 83--92.
[14]
S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage, "When private keys are public -- results from the 2008 Debian OpenSSL vulnerability," in Proc. 9th ACM SIGCOMM Conference on Internet Measurement (IMC 2009), Chicago, Illinois, USA, Nov. 2009, pp. 15--27.
[15]
Data sets of active scans, http://pki.net.in.tum.de, 2011.
[16]
A. Croll and S. Power, Complete Web Monitoring.\hskip 1em plus 0.5em minus 0.4em\relax O'Reilly Media, 2009.
[17]
L. Braun, G. Münz, and G. Carle, "Packet sampling for worm and botnet detection in TCP connections," in Proc. IEEE/IFIP Network Operations and Management Symposium (NOMS), Apr. 2010.
[18]
S. Kornexl, V. Paxson, H. Dreger, A. Feldmann, and R. Sommer, "Building a time machine for efficient recording and retrieval of high-volume network traffic," in Proc. 5th ACM SIGCOMM Conference on Internet Measurement (IMC 2005), Berkeley, CA, USA, Oct. 2005.
[19]
L. Braun, A. Didebulidze, N. Kammenhuber, and G. Carle, Comparing and improving current packet capturing solutions based on commodity hardware," in Proc. 10th ACM SIGCOMM Conference on Internet measurement (IMC) 2010, Nov 2010.
[20]
F. Fusco and L. Deri, "High speed network traffic analysis with commodity multi-core systems," in Proc. 10th ACM SIGCOMM conference on Internet measurement (IMC) 2010, Nov 2010.
[21]
V. Paxson, "Bro: a system for detecting network intruders in real-time," Computer networks, vol. 31, no. 23--24, pp. 2435--2463, 1999.
[22]
H. Dreger, A. Feldmann, M. Mai, V. Paxson, and R. Sommer, "Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection," in Proc. USENIX Security Symposium, Apr. 2006.
[23]
Planet Lab, "Planet Lab web site," https://www.planet-lab.org {online; last retrieved in May 2011}.
[24]
The International Grid Trust Federation, "IGTF web site," http://www.igtf.net/ {online; last retrieved in May 2011}.
[25]
A. Klein, "Attacks on the RC4 stream cipher," Designs, Codes and Cryptography, vol. 48, pp. 269--286, 2008.
[26]
E. Rescorla, "HTTP over TLS," RFC 2818 (Informational), 2000.
[27]
CA/Browser Forum, "EV SSL certificate guidelines version 1.3," http://www.cabforum.org/Guidelines\_v1\_3.pdf, 2010, {online; last retrieved in May 2011}.
[28]
M. Stevens, A. Lenstra, and B. de Weger, "Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities," in phAdvances in Cryptology -- EUROCRYPT 2007, ser. LNCS.\hskip 1em plus 0.5em minus 0.4em\relax Springer Berlin / Heidelberg, 2007, vol. 4515, pp. 1--22.
[29]
NIST, "Approved Algorithms,"http://csrc.nist.gov/groups/ST/toolkit/secure\_hashing.html, 2006, {online; last retrieved in May 2011}.
[30]
A. Sotirov, M. Stevens, J. Appelbaum, A. Lenstra, D. Molnar, D. A. Osvik, and B. de Weger, "MD5 considered harmful today," http://dl.packetstormsecurity.net/papers/attack/md5-considered-harmful.pdf, 2008, {online; last retrieved in May 2011}.
[31]
T. Kleinjung, K. Aoki, J. Franke, A. Lenstra, E. Thomé, J. Bos, P. Gaudry, A. Kruppa, P. Montgomery, D. Osvik, H. te Riele, A. Timofeev, and P. Zimmermann, "Factorization of a 768-bit RSA modulus," in Advances in Cryptology -- CRYPTO 2010, ser. Lecture Notes in Computer Science.\hskip 1em plus 0.5em minus 0.4em\relax Springer Berlin / Heidelberg, 2010, vol. 6223, pp. 333--350.
[32]
NIST, "Special publications (800 Series)," http://csrc.nist.gov/publications/PubsSPs.html, 2011, {online; last retrieved in May 2011}.

Cited By

View all
  • (2024)LanDscAPeProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698969(1225-1242)Online publication date: 14-Aug-2024
  • (2024)The Not-So-Silent Type: Vulnerabilities in Chinese IME Keyboards' Network Security ProtocolsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690302(1701-1715)Online publication date: 2-Dec-2024
  • (2024)On the Complexity of the Web’s PKI: Evaluating Certificate Validation of Mobile BrowsersIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.325586921:1(419-433)Online publication date: Jan-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
November 2011
612 pages
ISBN:9781450310130
DOI:10.1145/2068816
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

  • USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. HTTPS
  2. SSL
  3. TLS
  4. X.509
  5. certificates
  6. public key infrastructure

Qualifiers

  • Research-article

Conference

IMC '11
IMC '11: Internet Measurement Conference
November 2 - 4, 2011
Berlin, Germany

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)67
  • Downloads (Last 6 weeks)4
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)LanDscAPeProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698969(1225-1242)Online publication date: 14-Aug-2024
  • (2024)The Not-So-Silent Type: Vulnerabilities in Chinese IME Keyboards' Network Security ProtocolsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690302(1701-1715)Online publication date: 2-Dec-2024
  • (2024)On the Complexity of the Web’s PKI: Evaluating Certificate Validation of Mobile BrowsersIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.325586921:1(419-433)Online publication date: Jan-2024
  • (2024)An Experimental Investigation of Tuning QUIC-Based Publish–Subscribe Architectures in IoTIEEE Internet of Things Journal10.1109/JIOT.2023.330216011:3(4924-4933)Online publication date: 1-Feb-2024
  • (2024)Alter Ego: Identifying Web Server Certificates Containing IP Addresses As Subjects2024 Twelfth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW64572.2024.00052(272-278)Online publication date: 26-Nov-2024
  • (2024)You are your friends: Detecting malware via guilt-by-association and exempt-by-reputationComputers & Security10.1016/j.cose.2023.103519136(103519)Online publication date: Jan-2024
  • (2024)A compliance-based ranking of certificate authorities using probabilistic approachesInternational Journal of Information Security10.1007/s10207-024-00867-323:4(2881-2910)Online publication date: 29-May-2024
  • (2024)Analyzing Implementation-Based SSL/TLS Vulnerabilities with Binary Semantics AnalysisSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_19(371-394)Online publication date: 15-Oct-2024
  • (2024)Trust Issue(r)s: Certificate Revocation and Replacement Practices in the WildPassive and Active Measurement10.1007/978-3-031-56252-5_14(293-321)Online publication date: 11-Mar-2024
  • (2023)Service Identification of TLS Flows Based on Handshake AnalysisJournal of Information Processing10.2197/ipsjjip.31.13131(131-142)Online publication date: 2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media