LEAF message structure Session key 80 bits Other variables The other Clipper chip also has the Global Family key Unit Key Skipjack Hash algorithm => Can decrypt the LEAF to obtain this triple 16 bits Unit ID Encrypted session key Hash Global family key Skipjack LEAF
LEAF message structure Session key 80 bits Other variables Unit Key Skipjack Hash algorithm 16 bits The other Clipper chip “verifies” the LEAF by making sure that Unit ID Encrypted session key Hash the hash is correct Global family key Skipjack LEAF
LEAF message structure Session key 80 bits Other variables Law enforcement also has the Global Family Key Unit Key Skipjack Hash algorithm => Can decrypt the LEAF to obtain this triple 16 bits Unit ID Encrypted session key Hash Global family key Skipjack LEAF
LEAF message structure Session key 80 bits Other variables Unit Key Skipjack Hash algorithm 16 bits Unit ID Encrypted session key Hash Law enforcement does not have direct access Global family key Skipjack to all unit keys; needs a warrant to get them Unit keys are split across two locations LEAF (one location gets a OTP, the other gets the XOR)
LEAF: failure Session key 80 bits Other variables Unit Key Skipjack Hash algorithm To verify the LEAF, the otherClipper chip 16 bits only checks the hash Unit ID Encrypted session key Hash Clipper chips also allow you to test a LEAF locally Global family key Skipjack LEAF
LEAF: failure Session key 80 bits Other variables Unit Key Skipjack Hash algorithm 16 bits Generate a random LEAF => Unit ID Encrypted session key Hash 1/2 16 chance of a valid hash Unit ID Encrypted session key Hash Global family key Skipjack Validates at the other But law enforcement will just Clipper chip (so it will see random ID & key LEAF decrypt messages)
USEFUL TOOL: ZMAP Goal : port-scan the entire Internet in less than an hour Approaches: Non-blocking, stateless ⟹ Highly parallelizable Randomize addresses ⟹ Avoid takedown notices Datasets : Rapid7, censys.io
UNSAFE OPTIMIZATIONS TLS session ticket resumption Session ticket: session keys and other data to resume the session Server sends an “opaque” ticket (encrypted with the Session Ticket Encryption Key, STEK) Client sends the encrypted session ticket during handshake; server uses the STEK to recover it and pick up in one round-trip of communication
UNSAFE OPTIMIZATIONS Incentive to hold onto STEKs (lower RTTs) But they’re holding onto them long enough for nation-states to recover them
UNSAFE OPTIMIZATIONS Incentive to hold onto STEKs (lower RTTs) But they’re holding onto them long enough for nation-states to recover them
POOR CERTIFICATE MANAGEMENT
Heartbleed OpenSSL
Heartbleed “hi” 2 OpenSSL
Heartbleed “hi” 2 OpenSSL “hi”
Heartbleed OpenSSL
Heartbleed “hi” 22 OpenSSL
Heartbleed “hi” 22 OpenSSL “hi” + 20B from memory < 2 16
Heartbleed “hi” 22 OpenSSL “hi” + 20B from memory < 2 16 Potentially reveals user data and private keys Heartbleed exploits were undetectable
Why study Heartbleed? Akamai Discovered patched Publicly announced 03/21 04/02 04/07
Why study Heartbleed? Akamai Akamai Discovered Discovered patched patched Publicly announced Publicly announced 03/21 03/21 04/02 04/02 04/07 04/07 Every vulnerable website should have: Patched Revoked Reissued 1 2 3
Why study Heartbleed? Akamai Akamai Discovered Discovered patched patched Publicly announced Publicly announced 03/21 03/21 04/02 04/02 04/07 04/07 Every vulnerable website should have: Patched Revoked Reissued 1 2 3 Heartbleed is a natural experiment: How quickly and thoroughly do administrators act?
Dataset Rapid7 data 22M certs (~ 1 /wk for 6mos)
Dataset 2.8M certs Alexa Top- 1 M Rapid7 filter data CAs 22M certs (~ 1 /wk for 6mos) 9k certs
Dataset 2.8M certs Alexa Top- 1 M Rapid7 filter Leaf Set validate data CAs 22M certs 628k certs (~ 1 /wk for 6mos) 165k domains 9k certs
Dataset 2.8M certs Alexa Top- 1 M Rapid7 filter Leaf Set validate data CAs 22M certs 628k certs (~ 1 /wk for 6mos) 165k domains 9k certs • Download CRLs • Detect vulnerability • Identify Heartbleed-induced reissues & revocations
Dataset 2.8M certs Alexa Top- 1 M Rapid7 filter Leaf Set validate data CAs 22M certs 628k certs (~ 1 /wk for 6mos) 165k domains 9k certs • Download CRLs • Detect vulnerability • Identify Heartbleed-induced reissues & revocations
Prevalence and patch rates 0.6 Vulnerable to Heartbleed Was ever vulnerable Was ever vulnerable Fraction of Domains Still vulnerable Still vulnerable after 3 weeks 0.5 0.4 0.3 0.2 0.1 0 0 200000 400000 600000 800000 1e+06 Alexa Site Rank (bins of 1000)
Prevalence and patch rates 0.6 Vulnerable to Heartbleed Was ever vulnerable Was ever vulnerable Fraction of Domains Still vulnerable Still vulnerable after 3 weeks 0.5 0.4 0.3 0.2 0.1 0 0 200000 400000 600000 800000 1e+06 Alexa Site Rank (bins of 1000)
Prevalence and patch rates 0.6 Vulnerable to Heartbleed Was ever vulnerable Was ever vulnerable Fraction of Domains Still vulnerable Still vulnerable after 3 weeks 0.5 0.4 0.3 0.2 0.1 0 0 200000 400000 600000 800000 1e+06 Alexa Site Rank (bins of 1000) Patching rates are mostly positive Only ~7% had not patched within 3 weeks
How quickly were certs revoked? 1200 Number of Domains/Day 1000 800 600 400 200 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date
How quickly were certs revoked? 1200 Number of Domains/Day 1000 800 600 400 200 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date Reaction ramps up quickly
How quickly were certs revoked? 1200 Number of Domains/Day 1000 800 600 400 200 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date Reaction ramps up quickly
How quickly were certs revoked? 1200 Number of Domains/Day 1000 Weekends 800 600 400 200 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date Reaction ramps up quickly Security takes the weekends off
Certificate update rates 3 wks 1 Frac. of Vulnerable Certs not Revoked/Reissued 0.95 Not revoked 0.9 0.85 0.8 0.75 Not reissued 0.7 0.65 0.6 04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date
Certificate update rates 3 wks 1 Frac. of Vulnerable Certs not Revoked/Reissued 0.95 Not revoked 0.9 0.85 0.8 0.75 Not reissued 0.7 0.65 0.6 04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date
Certificate update rates 3 wks 1 Frac. of Vulnerable Certs not Revoked/Reissued 0.95 Not revoked 0.9 0.85 0.8 0.75 Not reissued 0.7 0.65 0.6 04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date
Certificate update rates 3 wks 1 Frac. of Vulnerable Certs not Revoked/Reissued 0.95 Not revoked 0.9 0.85 0.8 0.75 Not reissued 0.7 0.65 0.6 04/07 04/21 05/05 05/19 06/02 06/16 06/30 07/14 07/28 Date Similar pattern to patches: Exponential drop-off, then levels out After 3 weeks: 13% Revoked 27% Reissued
Reissue ⇒ New key? Reissued with the Same Key Fraction of New Certificates 0.6 0.5 0.4 0.3 0.2 0.1 All reissues Heartbleed-induced reissues 0 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Date of Birth
Reissue ⇒ New key? Reissued with the Same Key Fraction of New Certificates 0.6 0.5 0.4 0.3 0.2 0.1 All reissues Heartbleed-induced reissues 0 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Date of Birth
Reissue ⇒ New key? Reissued with the Same Key Fraction of New Certificates 0.6 0.5 0.4 0.3 0.2 0.1 All reissues Heartbleed-induced reissues 0 11/2013 12/2013 01/2014 02/2014 03/2014 04/2014 05/2014 Date of Birth Reissuing the same key is common practice 4.1% Heartbleed-induced
Can we wait for expiration? 1 0.8 0.6 CDF 0.4 0.2 0 0 1 2 3 4 5 6 Years of Remaining Validity
Can we wait for expiration? Vulnerable but not revoked 1 0.8 0.6 CDF 0.4 0.2 0 0 1 2 3 4 5 6 Years of Remaining Validity
Can we wait for expiration? Vulnerable but not revoked 1 0.8 0.6 CDF ~40% did not 0.4 expire after one year 0.2 0 0 1 2 3 4 5 6 Years of Remaining Validity
Can we wait for expiration? Vulnerable but not revoked 1 0.8 ~8% of vulnerable certs still unexpired 0.6 CDF ~40% did not 0.4 expire after one year 0.2 0 0 1 2 3 4 5 6 Years of Remaining Validity
Can we wait for expiration? Vulnerable but not revoked 1 0.8 ~8% of vulnerable certs still unexpired 0.6 CDF ~40% did not 0.4 expire after one year 0.2 0 0 1 2 3 4 5 6 Years of Remaining Validity We may be dealing with Heartbleed for years
Security is an economic concern Browser Website Certificate Certificate Certificate Authority
Security is an economic concern Browser Website Certificate Certificate Revoked? Certificate Authority
Security is an economic concern Browser Website Certificate Certificate Revoked? Certificate Authority Browsers face tension between security and page load times CAs face tension between security and bandwidth costs
OCSP Stapling Browser Website Certificate Certificate Certificate Authority ✗ ✗ ✗ ✗ ✗ Certificate Certificate Certificate Certificate Certificate ✗ ✗ ✗ ✗ ✗ Certificate Certificate Certificate Certificate Certificate
OCSP Stapling Browser Website Certificate Certificate ✔ Certific Certificate Authority ✗ ✗ ✗ ✗ ✗ Certificate Certificate Certificate Certificate Certificate ✗ ✗ ✗ ✗ ✗ Certificate Certificate Certificate Certificate Certificate
OCSP Stapling Browser Website Certificate Certificate ✔ Certific Certificate Authority ✗ ✗ ✗ ✗ ✗ Certificate Certificate Certificate Certificate Certificate ✗ ✗ ✗ ✗ ✗ Certificate Certificate Certificate Certificate Certificate But OCSP Stapling rarely activated by admins: Our scan: 3% of normal certs; 2% of EV certs
Testing browser behavior • Browsers should support all major protocols Revocation protocols • CRLs, OCSP , OCSP stapling • Browsers should reject certs they cannot check Availability of revocation info • E.g., because the OCSP server is down • Browsers should reject a cert if any on the chain fail Chain lengths • Leaf, intermediate(s), root
Testing browser behavior • Browsers should support all major protocols Revocation protocols • CRLs, OCSP , OCSP stapling • Browsers should reject certs they cannot check Availability of revocation info • E.g., because the OCSP server is down • Browsers should reject a cert if any on the chain fail Chain lengths • Leaf, intermediate(s), root Root … Intermediate Intermediate Leaf
Testing browser behavior • Browsers should support all major protocols Revocation protocols • CRLs, OCSP , OCSP stapling • Browsers should reject certs they cannot check Availability of revocation info • E.g., because the OCSP server is down • Browsers should reject a cert if any on the chain fail Chain lengths • Leaf, intermediate(s), root signs Root … Intermediate Intermediate Leaf
Testing browser behavior • Browsers should support all major protocols Revocation protocols • CRLs, OCSP , OCSP stapling • Browsers should reject certs they cannot check Availability of revocation info • E.g., because the OCSP server is down • Browsers should reject a cert if any on the chain fail Chain lengths • Leaf, intermediate(s), root signs Root … Intermediate Intermediate Leaf
Testing browser behavior • Browsers should support all major protocols Revocation protocols • CRLs, OCSP , OCSP stapling • Browsers should reject certs they cannot check Availability of revocation info • E.g., because the OCSP server is down • Browsers should reject a cert if any on the chain fail Chain lengths • Leaf, intermediate(s), root signs Root … Intermediate Intermediate Leaf
Recommend
More recommend
