abstract

Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Authors:

Matthias Wachs,

Quirin Scheitle,

Georg CarleAuthors Info & Claims

ANRW '18: Proceedings of the 2018 Applied Networking Research Workshop

Page 3

https://doi.org/10.1145/3232755.3232763

Published: 16 July 2018 Publication History

Get Access

Abstract

While the Transport Layer Security (TLS) protocol is typically used to authenticate servers, it also offers the possibility to use Client Certificates for to authenticate clients (CCA). We investigate the use of CCA based on two specific concerns:

First, CCA is prone to being used in a context that encodes personal data into client certificates, such as identifying persons, e.g. in voting systems or VPN applications.

Second, in versions prior to TLS1.3, the client certificate (as well as the server certificate) is being sent in clear text, permitting systematic and large-scale eavesdropping.

Based on these two concerns, we investigate the use of CCA at an ISP uplink. Besides confirming our two concerns by finding, e.g., person names in VPN certificates, we also identify the Apple Push Notification Service (APNs) to leverage TLS CCA to identify client devices. We consider this use highly critical as APNs is an integral part of all Apple operating systems, and APNs establishes a connection immediately upon connecting the device to a network. We show that these properties can be used by various attacker types to track devices (and hence, likely users) with great precision across the global Internet.

This work was published in 2017, with the TLS1.3 standardization still ongoing, and we aimed to emphasize the necessity of encrypting client certificates in the TLS handshake, which was adopted in the TLS1.3 standard. Based on work published at TMA'17 [1].

[1] Matthias Wachs, Quirin Scheitle, Georg Carle. 2017. Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication. In Proceedings of the 2017 Network Traffic Measurement and Analysis Conference (TMA '17)

Cited By

View all

Scheitle QChung THiller JGasser ONaab Jvan Rijswijk-Deij RHohlfeld OHolz RChoffnes DMislove ACarle G(2018)A First Look at Certification Authority Authorization (CAA)ACM SIGCOMM Computer Communication Review10.1145/3213232.321323548:2(10-23)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.1145/3213232.3213235

Index Terms

Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication
1. Security and privacy
  1. Network security

Recommendations

Privacy Implications of AMQ-Based PQ TLS Authentication
CoNEXT '24: Proceedings of the 20th International Conference on emerging Networking EXperiments and Technologies

During the TLS 1.3 handshake, an entity (e.g., a client application) commonly transmits a chain of certificates and certificates' digital signatures to the remote party to authenticate themselves. Towards a transition to post-quantum TLS, several ...
Impact of post-quantum hybrid certificates on PKI, common libraries, and protocols

In this work, we assessed the impact of post-quantum (PQ) cryptography on public key infrastructure (PKI). First, we modified a commercially available certification authority (CA) to issue 'hybrid' certificates (X.509 certificates with PQ extensions). ...
Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure
WWW '13: Proceedings of the 22nd international conference on World Wide Web

Recent trends in public-key infrastructure research explore the tradeoff between decreased trust in Certificate Authorities (CAs), resilience against attacks, communication overhead (bandwidth and latency) for setting up an SSL/TLS connection, and ...

Comments

Information & Contributors

Information

Published In

ANRW '18: Proceedings of the 2018 Applied Networking Research Workshop

July 2018

102 pages

ISBN:9781450355858

DOI:10.1145/3232755

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 July 2018

Check for updates

Author Tags

Qualifiers

Abstract
Research
Refereed limited

Conference

ANRW '18

Sponsor:

IRTF
Internet Society
SIGCOMM

ANRW '18: Applied Networking Research Workshop

July 16, 2018

QC, Montreal, Canada

Acceptance Rates

Overall Acceptance Rate 34 of 58 submissions, 59%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
174
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Scheitle QChung THiller JGasser ONaab Jvan Rijswijk-Deij RHohlfeld OHolz RChoffnes DMislove ACarle G(2018)A First Look at Certification Authority Authorization (CAA)ACM SIGCOMM Computer Communication Review10.1145/3213232.321323548:2(10-23)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.1145/3213232.3213235

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

Cited By

Index Terms

Recommendations

Privacy Implications of AMQ-Based PQ TLS Authentication

Impact of post-quantum hybrid certificates on PKI, common libraries, and protocols

Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations