in log we trust revealing poor security practices with
play

In Log We Trust: Revealing Poor Security Practices with Certificate - PowerPoint PPT Presentation

Oct 30, 2023 •133 likes •531 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements Oliver Gasser, Benjamin Hof, Max

  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements Oliver Gasser, Benjamin Hof, Max Helm, Maciej Korczynski, Ralph Holz, Georg Carle Tuesday 27 th March, 2018 Passive and Active Measurement Conference 2018 Berlin, Germany Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. Joint work O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 2

  3. Why should I care about CT? What is Certificate Transparency (CT) in a nutshell? • CT provides a repository of certificates to make misissuance detectable • Pushed by Google and others • RFC 6962 O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 3

  4. Why should I care about CT? What is Certificate Transparency (CT) in a nutshell? • CT provides a repository of certificates to make misissuance detectable • Pushed by Google and others • RFC 6962 Why is CT interesting for researchers? • CT offers a timeline of issued certificates • Allows to analyze current state and evolution of certificate ecosystem O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 3

  5. Why should I care about CT? What is Certificate Transparency (CT) in a nutshell? • CT provides a repository of certificates to make misissuance detectable • Pushed by Google and others • RFC 6962 Why is CT interesting for researchers? • CT offers a timeline of issued certificates • Allows to analyze current state and evolution of certificate ecosystem Why do we need measurements? • Not all certificates are in CT (yet) • Find discrepancies between certificates in CT and certificates deployed in the wild O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 3

  6. Why should I care about CT? What is Certificate Transparency (CT) in a nutshell? • CT provides a repository of certificates to make misissuance detectable • Pushed by Google and others • RFC 6962 Why is CT interesting for researchers? • CT offers a timeline of issued certificates • Allows to analyze current state and evolution of certificate ecosystem Why do we need measurements? • Not all certificates are in CT (yet) • Find discrepancies between certificates in CT and certificates deployed in the wild What if I don’t care about security at all? • Wait for the bonus slide at the end O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 3

  7. Certificate Transparency What problem is CT trying to solve? • Misissued certificates pose a threat to TLS security • Example: DigiNotar hack in 2011 resulted in unauthorized certificate issuance • Timely detection of misissued certificates is hard • Domain owner or CA might not be aware of misissuance • CA might not go public about misissuance • Idea: All CAs publish a list of issued certificates • Others can then look at those lists and detect misissued certificates O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 4

  8. Certificate Transparency What problem is CT trying to solve? • Misissued certificates pose a threat to TLS security • Example: DigiNotar hack in 2011 resulted in unauthorized certificate issuance • Timely detection of misissued certificates is hard • Domain owner or CA might not be aware of misissuance • CA might not go public about misissuance • Idea: All CAs publish a list of issued certificates • Others can then look at those lists and detect misissued certificates Involved parties in CT • Log: Public, untrusted, append-only certificate store • Monitor: Service evaluating certificates found in logs • Auditor O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 4

  9. Certificate Transparency What problem is CT trying to solve? • Misissued certificates pose a threat to TLS security • Example: DigiNotar hack in 2011 resulted in unauthorized certificate issuance • Timely detection of misissued certificates is hard • Domain owner or CA might not be aware of misissuance • CA might not go public about misissuance • Idea: All CAs publish a list of issued certificates • Others can then look at those lists and detect misissued certificates Involved parties in CT • Log: Public, untrusted, append-only certificate store → data source for this work • Monitor: Service evaluating certificates found in logs • Auditor O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 4

  10. Certificate Transparency What problem is CT trying to solve? • Misissued certificates pose a threat to TLS security • Example: DigiNotar hack in 2011 resulted in unauthorized certificate issuance • Timely detection of misissued certificates is hard • Domain owner or CA might not be aware of misissuance • CA might not go public about misissuance • Idea: All CAs publish a list of issued certificates • Others can then look at those lists and detect misissued certificates Involved parties in CT • Log: Public, untrusted, append-only certificate store → data source for this work • Monitor: Service evaluating certificates found in logs → us • Auditor O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 4

  11. Measurement methodology Active measurements • 600 M certificates downloaded from 30 CT logs • Active HTTPS scans of more than 200 M IPv4 and IPv6 hosts • Certificate Revocation List downloads resulting in 25 M entries O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 5

  12. Measurement methodology Active measurements • 600 M certificates downloaded from 30 CT logs • Active HTTPS scans of more than 200 M IPv4 and IPv6 hosts • Certificate Revocation List downloads resulting in 25 M entries Performing measurements in an ethical way • Don’t annoy other people and take away their precious time • Limit query rate • Use incremental downloads for CT logs • Use conforming packets/requests • Don’t hide your intentions • Use dedicated measurement machine • Informing rDNS name, WHOIS entry, web site explaining measurements O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 5

  13. Primary analysis goals What we wanted to find out: 1. Who are the issuers of certificates in CT logs? O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 6

  14. Primary analysis goals What we wanted to find out: 1. Who are the issuers of certificates in CT logs? 2. How secure are certificates in CT logs? O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 6

  15. Primary analysis goals What we wanted to find out: 1. Who are the issuers of certificates in CT logs? 2. How secure are certificates in CT logs? 3. How do certificates in CT logs differ from those found in the wild? O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 6

  16. Primary analysis goals What we wanted to find out: 1. Who are the issuers of certificates in CT logs? 2. How secure are certificates in CT logs? 3. How do certificates in CT logs differ from those found in the wild? 4. Do we find old and non-HTTPS certificates in CT logs? O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 6

  17. 1. Who are the issuers of certificates in CT logs? Let's Encrypt 10 8 GoDaddy Valid CT certificates at time 10 7 Geotrust 10 6 COMODO AddTrust 10 5 10 4 10 3 10 2 10 1 10 0 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 - - - - - - - - - - - - - 6 8 0 2 4 6 8 0 2 4 6 8 0 9 9 0 0 0 0 0 1 1 1 1 1 2 9 9 0 0 0 0 0 0 0 0 0 0 0 1 1 2 2 2 2 2 2 2 2 2 2 2 Time O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 7

  18. 1. Who are the issuers of certificates in CT logs? Let's Encrypt 10 8 GoDaddy Valid CT certificates at time 10 7 Geotrust 10 6 COMODO AddTrust 10 5 10 4 10 3 10 2 10 1 10 0 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 - - - - - - - - - - - - - 6 8 0 2 4 6 8 0 2 4 6 8 0 9 9 0 0 0 0 0 1 1 1 1 1 2 9 9 0 0 0 0 0 0 0 0 0 0 0 1 1 2 2 2 2 2 2 2 2 2 2 2 Time • Let’s Encrypt is the dominating issuer of CT log certificates • Certificates in logs from before standardization of CT began O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 7

  19. Insecure certificates Baseline Requirements (BRs) • Rules regarding certificates and issuing processes which CAs adhere to • Devised within the CA/Browser Forum • Each requirement has an enforcement date • Example: RSA key size ≥ 2048 bits for certificates starting 2014 O. Gasser, B. Hof, M. Helm, M. Korczynski, R. Holz, G. Carle — In Log We Trust 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How Pro-Poor is your Institution? Improve Client Outcomes with the Pro-Poor Principles,

How Pro-Poor is your Institution? Improve Client Outcomes with the Pro-Poor Principles,

How Pro-Poor is your Institution? Improve Client Outcomes with the Pro-Poor Principles, Essential Practices and Indicators 17TH MICROCREDIT SUMMIT # 17MCSumm GENERATION NEXT: INNOVATIONS IN it MICROFINANCE Session Outline I. Your Panelists

625 views • 39 slides
Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust Today

Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust Today

Security Technologies and Hierarchical Trust Security Technologies and Hierarchical Trust Today Today 1. Review/Summary of security technologies Crypto and certificates 2. Combination of techniques in SSL The basis for secure HTTP, ssh

564 views • 40 slides
is their Savior. What emerges from this prayer is above all the sense of abandonment and trust in

is their Savior. What emerges from this prayer is above all the sense of abandonment and trust in

Extracts from the Message of Pope Francis for the SECOND WORLD DAY OF THE POOR 33rd Sunday in Ordinary Time 18 November 2018 Introduction: This poor man cried, and the Lord heard him ( Ps 34:6). The words of the Psalmist become our own

229 views • 4 slides
Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services

Security best practices for Security best practices for Apache web services Apache web services Agenda Security Advisories @ Apache Issues associated with the advisory process Apache CXF advisories + lessons learned

394 views • 28 slides
Introduction Out Outline e Imagine an Ad-hoc network Introduction Security techniques

Introduction Out Outline e Imagine an Ad-hoc network Introduction Security techniques

Wireless Ad Hoc and Sensor Networks Outline Out e - Trust and Soft Security Introduction Security techniques Trust and reputation systems Generic Trust and Reputation Model Scheme Proposed models for ad hoc and sensor

161 views • 12 slides
HA T H AT H U M A N I TA R I A N A I D T R U S T HUMANIT A RI A N A I D TRUST H AT H U M

HA T H AT H U M A N I TA R I A N A I D T R U S T HUMANIT A RI A N A I D TRUST H AT H U M

HA T H AT H U M A N I TA R I A N A I D T R U S T HUMANIT A RI A N A I D TRUST H AT H U M A N I TA R I A N A I D T R U S T LIFE IN ALL ITS FULLNESS FOR NEPALS POOR AND DISADVANTAGED H AT H U M A N I TA R I A N A I D T R U S T H

801 views • 16 slides
Opening Remarks on Best Opening Remarks on Best Practices in Mentoring Practices in Mentoring

Opening Remarks on Best Opening Remarks on Best Practices in Mentoring Practices in Mentoring

PAESMEM/Stanford Workshop PAESMEM/Stanford Workshop June 21, 2004 June 21, 2004 Opening Remarks on Best Opening Remarks on Best Practices in Mentoring Practices in Mentoring Vince Poor Vince Poor (poor@princeton princeton. .edu edu) )

784 views • 9 slides
Cybersecurity R&D&I in H2 0 2 0 Martin Mhleck Trust and Security, DG Communications

Cybersecurity R&D&I in H2 0 2 0 Martin Mhleck Trust and Security, DG Communications

Cybersecurity R&D&I in H2 0 2 0 Martin Mhleck Trust and Security, DG Communications Networks, Content and Technology European Commission EU Policy Cyber Security EU Cyber Security Strategy Resilience International cybercrime

264 views • 13 slides
Stay invisible in the digital world 1 Mobile Trust Telecommunications About us We provide a

Stay invisible in the digital world 1 Mobile Trust Telecommunications About us We provide a

Cyber security is a National Security Priority Barack Obama Mobile Trust Telecommunications (MTT) presents Stealthphone Information Security System Stay invisible in the digital world 1 Mobile Trust Telecommunications About us We

501 views • 21 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis

Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis

Security, Privacy and Trust in DOSNs: State-Of-The-Art Approaches and Open Challenges Panagiotis Ilia Institute of Computer Science Foundation for Research and Technology Hellas (FORTH) <pilia@ics.forth.gr> Security, Privacy and Trust

272 views • 25 slides
Rank Revealing QR factorization F. Guyomarch, D. Mezher and B. Philippe 1 Outline

Rank Revealing QR factorization F. Guyomarch, D. Mezher and B. Philippe 1 Outline

Rank Revealing QR factorization F. Guyomarch, D. Mezher and B. Philippe 1 Outline Introduction Classical Algorithms Full matrices Sparse matrices Rank-Revealing QR Conclusion CSDA 2005, Cyprus 2 Situation of the

234 views • 19 slides
The Economy is reliant on the Internet The state of Internet security is eroding quickly. Trust

The Economy is reliant on the Internet The state of Internet security is eroding quickly. Trust

The Economy is reliant on the Internet The state of Internet security is eroding quickly. Trust in online transactions is evaporating, and it will require strong security leadership for that trust to be restored. For the Internet to remain the

433 views • 29 slides
How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi,

How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi,

How to Share Best Security Practices Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi, security@eudat.eu WISE W orkshop for I nformation S ecurity for E -infrastructures 2015-10-22, Barcelona This work is licensed under the Creative Commons

492 views • 12 slides
Revealing the origin of the X-ray variability in Sco X-1 Xiaofeng Cao Huazhong Normal University

Revealing the origin of the X-ray variability in Sco X-1 Xiaofeng Cao Huazhong Normal University

Revealing the origin of the X-ray variability in Sco X-1 Xiaofeng Cao Huazhong Normal University Collaborator: Prof Wenfei Yu (Shanghai Astronomical Observatory) Outline X-ray Variability in NS LMXBs Revealing the origin of the

392 views • 13 slides
Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches, Fixes, Revisions Antivirus Software Post-Install Security Checklist: Windows/UNIX File System Security Issues Chapter 10 User

361 views • 8 slides
Page 1 Inverse Problems - Examples Inverse Problems - Theory inverse problem

Page 1 Inverse Problems - Examples Inverse Problems - Theory inverse problem

Outline Theory example 1D deconvolution Fourier method Algebraic method Inverse Problems discretization matrix properties regularization solution methods Ivo Ihrke Computed Tomography (CT) Radon

304 views • 12 slides
High Risk Emergency Medicine Controversies in Trauma Rachael Callcut, MD, MSPH Robert Rodriguez, MD

High Risk Emergency Medicine Controversies in Trauma Rachael Callcut, MD, MSPH Robert Rodriguez, MD

High Risk Emergency Medicine Controversies in Trauma Rachael Callcut, MD, MSPH Robert Rodriguez, MD David Thompson, MD, MPH No relevant financial relationships to disclose Topics: Pan CT scan based on mechanism of injury Use of

331 views • 17 slides
CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL

CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL

CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL Injections Next month: XSS / CSRF Meetup Group for times/dates Plan of Attack History of SQL Basic Injections Protections

890 views • 58 slides
An Auto-Encoder Strategy for Adaptive Image Segmentation Evan M. Yu, Juan Eugenio Iglesias,

An Auto-Encoder Strategy for Adaptive Image Segmentation Evan M. Yu, Juan Eugenio Iglesias,

An Auto-Encoder Strategy for Adaptive Image Segmentation Evan M. Yu, Juan Eugenio Iglesias, Adrian V. Dalca, Mert R. Sabuncu Challenge Annotations costs time, money and requires expertise Weeks to manually label a dataset Growing

608 views • 15 slides
NOvA Target Downstream Be Window Yun He TSD Topical Meeting January 11, 2018 Outline

NOvA Target Downstream Be Window Yun He TSD Topical Meeting January 11, 2018 Outline

NOvA Target Downstream Be Window Yun He TSD Topical Meeting January 11, 2018 Outline Motivation for new design / analysis / testing Be window design FEA model, material properties, thermal loads, cooling conditions Temperature

677 views • 23 slides
Comparative protein structure modeling of genes and genomes Marc A. Marti-Renom Department of

Comparative protein structure modeling of genes and genomes Marc A. Marti-Renom Department of

Comparative protein structure modeling of genes and genomes Marc A. Marti-Renom Department of Biopharmaceutical Sciences University of California, San Francisco Comparative protein structure modeling of genes and genomes Marc A.

848 views • 63 slides
String Reconstruction Problems in Multiomics Data Analysis Olgica Milenkovic Joint work with Ryan

String Reconstruction Problems in Multiomics Data Analysis Olgica Milenkovic Joint work with Ryan

Multiomics Data and String Reconstruction Substrings Subsequences Substring Composition THANK YOU! String Reconstruction Problems in Multiomics Data Analysis Olgica Milenkovic Joint work with Ryan Gabrys University of Illinois,

1.76k views • 165 slides
Overview Background: Overview Shift over last 10-15 years Background Four gland

Overview Background: Overview Shift over last 10-15 years Background Four gland

11/8/2014 LOCALIZATION STUDIES FOR Disclosures: none PRIMARY HYPERPARATHYROIDISM Marika Russell, MD, FACS Assistant Professor UCSF Otolaryngology-Head and Neck Surgery Overview Background: Overview Shift over last 10-15 years

400 views • 13 slides

More recommend