internet ssl survey 2010 black hat usa 2010 black hat usa
play

Internet SSL Survey 2010 Black Hat USA 2010 Black Hat USA 2010 I - PowerPoint PPT Presentation

Feb 12, 2024 •273 likes •705 views

Internet SSL Survey 2010 Black Hat USA 2010 Black Hat USA 2010 I Ivan Ristic Ri ti Director of Engineering, Web Application Firewall and SSL iristic@qualys.com / @ivanristic July 19 th , 2010 (v1.0) h Agenda 1. Why do we care about SSL?

  1. Internet SSL Survey 2010 Black Hat USA 2010 Black Hat USA 2010 I Ivan Ristic Ri ti Director of Engineering, Web Application Firewall and SSL iristic@qualys.com / @ivanristic July 19 th , 2010 (v1.0) h

  2. Agenda 1. Why do we care about SSL? 1. Why do we care about SSL? 2. Our SSL assessment engine 3. How does one find SSL-enabled H d fi d SSL bl d 3 servers to study? 4. Findings of our large-scale study of Fi di f l l t d f SSL servers on the Internet 5. Conclusions and future direction

  3. Why do we care about SSL? Internet SSL Survey 2010 Part I

  4. SSL Labs SSL Labs: � A non-commercial security research effort focused on SSL, TLS, and friends d f i d Projects: � Assessment tool � SSL Rating Guide � Passive SSL client fingerprinting tool � SSL Threat Model � SSL Survey

  5. SSL Threat Fail Model How can SSL fail? � In about a million and one different ways, actually. Principal issues: � Implementation flaws � MITM � Usability issues � Impedance mismatch � Deployment mistakes � PKI trust challenges

  6. SSL Rating Guide What is the purpose of the guide? � Sum up a server’s SSL configuration, and explain how scores are assigned � Make it possible for non experts to � Make it possible for non-experts to understand how serious flaws are � Enable us to quickly say if one server is better configured than another is better configured than another � Give configuration guidance

  7. SSL Rating Guide (Not) And what is NOT the purpose of the guide? � The scores are not supposed to be a perfect representation of configuration p p g “quality” � We don’t know what “secure” means to you y � Besides, security has many enemies: � Cost � Performance � Performance � Interoperability

  8. SSL Assessment Engine Internet SSL Survey 2010 Part II

  9. Online SSL assessment overview Main features: � Free online SSL test � Comprehensive, yet easy on CPU � Results easy to understand What we analyze: y � Configuration � Certificate chain � Protocol and cipher p suite support � Enabled Features � Weaknesses

  10. SSL assessment details Highlights: � Renegotiation vulnerability � Cipher suite preference � TLS version intolerance TLS version intolerance � Session resumption � Firefox 3.6 trust base base Every assessment consists of about: � 2000 packets � 2000 packets � 200 connections � 250 KB data

  11. Assessment Challenges Comprehensive assessments are difficult: � A naïve approach is to open a connection per cipher suite. But it doesn’t scale. � We went to packet level, using partial connections ( with as little crypto as possible ) to extract the information we needed. Almost no CPU used! � Not reliable with multiple servers behind one IP address Other issues: � Complicated topic – so many RFCs and other documents to read before you Complicated topic so many RFCs and other documents to read before you can begin to grasp the problem. It took us ages to just assemble the list of known cipher suites. � Poor programming documentation ; SSL toolkits generally p g g g y designed to connect (or not), but not for diagnostics. � Feature coverage – toolkits cover only a part of what the protocols can do. � Bugs, edge cases, and interoperability issues . g g y

  12. Finding Servers to Scan Internet SSL Survey 2010 Part III

  13. Finding servers to assess We have the assessment engine sizzling, but how do we find servers to assess? � Scan all IPv4 space � Crawl the Internet � Start with domain registrations � Use a browser toolbar � Wait for SSL Labs to become popular, recording all site names in the meantime p p , g Are we looking for domain names, servers, or certificates? � TLS SNI allows multiple certificates per IP address � One domain name may have many servers / IP addresses � One domain name may have many servers / IP addresses � There may be many servers behind one IP address � The same certificate (esp. a wildcard one) can be used with many servers

  14. Our approach: domain enumeration How many domain names and certificates are there? � 193M domain name registrations in total (VeriSign) � 207M sites (Netcraft) � 1.2M valid SSL certificates (Netcraft) ( ) Main data set: domain name registrations � All .com, .net, .org, .biz, .us, and .info domain names � 119M d 119M domain names (57% of the total) i (57% f th t t l) Bonus data sets: � Alexa’s top 1m popular sites � Collect the names in the certificates we find

  15. First pass: lightweight scan The purpose of the first-pass lightweight scan is to locate the servers we need to examine in depth: � Those are servers with certificates whose names match the domain names on which they reside. � Someone made an effort to match the names, therefore the intent is there! How did we do that? How did we do that? � Single server with 4 GB RAM (not a particularly powerful one) � DNS resolution + few packets to probe ports 80 and 443 // Yes, HTTP servers only � � Naturally incomplete SSL handshakes Naturally, incomplete SSL handshakes � 2,000 concurrent threads � Resulted in roughly 1,000 probes per second; fast enough � � A day and a half for the entire scan A day and a half for the entire scan

  16. Active domain names Out of 119m domain names: DNS DNS � failure 12.4M (10.37%) 10.37% failed to resolve No � 14.6M (12.28%) response response failed to respond 12.28% � 92M (77.35%) seemed active Active domains domains Active means to respond 77.35% on port 80 or port 443

  17. Port 80 and 443 activity analysis Includes 18,222 SSH responses; 91.65M 91 65M the rest is mostly plaintext HTTP (99.35%) Includes 6,320 SSLv2-only responses Other 11.02 SSL 33.69M 32.73% 22.65 (36 52%) (36.52%) 67 27% 67.27% Port 80 Port 443 Protocols on port 443 Domain responses on (in millions) (in millions) ports 80 and 443 ports 80 and 443

  18. ~720,000 potentially valid SSL certificates Name match 0.72 Name match 3.17% 0.12 27.86% No match 0.30 No match 72.14% 21.93 96.83% Out of 22.65M domain Alexa’s Top 1M domain names names with SSL enabled

  19. 22m invalid certificates! Really!? Why so many invalid responses? � Virtual web hosting hugely popular Name match 0.72 � 119m domain names represented by 3.17% about 5.3m IP addresses � 22.65m domain names with SSL represented by about 2m IP addresses � Virtual SSL web hosting practically � Virtual SSL web hosting practically impossible – the majority of browsers do not support the TLS SNI No match extension. 21.93 96.83% We don’t know if a site uses SSL, and end up seeing something else Out of 22.65M domain because most don’t names with SSL enabled

  20. The end result… Let’s now try to get as many entries as possible � Add all we have together: � 720,000 certificates from the domain name registration data set � 120 000 certificates from the Top 1m data set 120,000 certificates from the Top 1m data set � About new 100,000 domains found in certificate names � Remove duplicates: NL � Unique IP address � Unique IP address FR AU � Unique domain name CA � Unique certificate DE GB � We ended up with 867,361 entries JP US Unknow � Probably 25-50% of all commercial certs n y 0 50 100 150 200 250 Th d

  21. Internet SSL Survey 2010 Survey Results Part IV

  22. How many certs failed validation and why? 32 642 (3 76%) have 32,642 (3.76%) have Remember that Remember that incomplete chains the methodology 136,534 excluded hostname mismatch problems Not trusted 239,007 96,321 27.56% Trusted 607,589 , 56,864 , 70.05% 20,765 Not trusted suspicious 1,072 903 20,765 2.39% Expired Self-signed Unknown Invalid Revoked Bad CN CA signature Trusted versus untrusted Interoperability Validation failures issues with JSSE? certificates

  23. Certificate validity and expiry distribution Certificate period of validity (trusted certificates only) 300000 200000 100000 Expired and other problems 52,190 (38%) 0 0 12 24 36 48 60 72 84 96 Expired certificates over time E i d tifi t ti (certificates without other problems only) 10000 Expired only 83,925 (62%) 8000 6000 4000 How many certificates are 2000 only expired, and how many have other problems too? 0 0 0 12 12 24 24 36 36 48 48 60 60 72 72 84 84 96 96

  24. Unknown issuers We saw 56,864 unknown issuers � Great majority of issuers seen only once � 22 seen in more than 100 certificates � Manually verified those 22 y � Found 4 that one could argue are legitimate, but are not trusted by Mozilla (yet) ( http://www.mozilla.org/projects/security/certs/pending/ ) I Issuer S Seen certificates tifi t Firstserver Encryption Services 9486 CAcert 6117 ipsCA 462 Trusted in other major browsers KISA Root CA 162

  25. Trusted issuers and chain length We saw 429 ultimately-trusted certificate issuers Not seen seen 77 � They led to 78 trust anchors 49.68 % � That’s only 50% of our trust base , which has Seen 78 155 trust anchors 50.32 % % 155 trusted CA certificates (from Firefox 3.6.0) ( ) Web server Intermediate Trusted root certificate certificate certificate Chain length Certificates seen Recomm (optional) 2 270,779 mended length 3 334,248 4 2368 This path is 2 levels deep in 44% of cases, 5 186 6 8 and 3 levels deep in 55% of cases. p

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Relativistic Red-Black Trees Philip Howard 4/28/2010 pwh@cecs.pdx.edu 4/27/2010 1 Red-Black

Relativistic Red-Black Trees Philip Howard 4/28/2010 pwh@cecs.pdx.edu 4/27/2010 1 Red-Black

Relativistic Red-Black Trees Philip Howard 4/28/2010 pwh@cecs.pdx.edu 4/27/2010 1 Red-Black Trees Root Property : The root is black External Property : Every external node is black Internal Property : The children of red nodes

734 views • 38 slides
Internet Explorer turns your personal computer into a public File Server Black Hat DC 2010 |

Internet Explorer turns your personal computer into a public File Server Black Hat DC 2010 |

Internet Explorer turns your personal computer into a public File Server Black Hat DC 2010 | Jorge Luis Alvarez Medina 1 Jorge Luis Alvarez Medina | CORE Security Technologies | February 2010 Outline Attack results Internet Explorer

609 views • 38 slides
The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010 MWR InfoSecurity Who Am I?

The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010 MWR InfoSecurity Who Am I?

The Risk you carry in your Pocket Nils Black Hat Abu Dhabi 2010 MWR InfoSecurity Who Am I? Head of Research @ MWR Exploiting stuff before Microsoft, Google, Adobe, IBM, Mozilla, Sun, Linux, Apple Pwn2Own Winner 2009

1.09k views • 64 slides
Group Research Relativistic Motions around a Black Hole 2010 KIAS-SNU Physics Winter Camp Date :

Group Research Relativistic Motions around a Black Hole 2010 KIAS-SNU Physics Winter Camp Date :

Group Research Relativistic Motions around a Black Hole 2010 KIAS-SNU Physics Winter Camp Date : February 7, 2010 Talk : , , , , , Table What is space-time ? How a particle moves? -

756 views • 26 slides
Low-frequency variability in X-ray binaries Tomaso Belloni (INAF-Osservatorio Astronomico di

Low-frequency variability in X-ray binaries Tomaso Belloni (INAF-Osservatorio Astronomico di

Black Hole Universe Low-frequency variability in X-ray binaries Tomaso Belloni (INAF-Osservatorio Astronomico di Brera) Black-Hole Variability 2010 Southampton - 20/21 May 2010 Monday, May 31, 2010 What we will cover A historical

1.04k views • 32 slides
Stuck: Contextualizing the U.S. HIV epidemic among black MSM Greg Millett amfAR April 2,

Stuck: Contextualizing the U.S. HIV epidemic among black MSM Greg Millett amfAR April 2,

Stuck: Contextualizing the U.S. HIV epidemic among black MSM Greg Millett amfAR April 2, 2015 New HIV Infections, 2010 2008-2010 Women: 21% decrease MSM: 12% increase Young MSM: 22% increase Lifetime Risk of HIV Diagnosis

617 views • 40 slides
A Black-Box Discrete Optimization Benchmarking (BB-DOB) Pipeline Survey: Taxonomy, Evaluation,

A Black-Box Discrete Optimization Benchmarking (BB-DOB) Pipeline Survey: Taxonomy, Evaluation,

A Black-Box Discrete Optimization Benchmarking (BB-DOB) Pipeline Survey: Taxonomy, Evaluation, and Ranking GECCO 18: Genetic and Evolutionary Computation Conference Kyoto, Japan, July 1519, 2018 Session : Black Box Discrete Optimization

472 views • 33 slides
Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010 https://www.isecpartners.com Agenda Conclusion What is Hadoop Old School Hadoop Risks The New Approach to Security Concerns

300 views • 29 slides
Oswegatchie- -Black Stream Survey Black Stream Survey Oswegatchie 2003- -2005 2005 2003

Oswegatchie- -Black Stream Survey Black Stream Survey Oswegatchie 2003- -2005 2005 2003

Oswegatchie- -Black Stream Survey Black Stream Survey Oswegatchie 2003- -2005 2005 2003 Assessments of Adirondack Surface Water Chemistry Primary focus on lakes since 1980s. Primary focus on lakes since 1980s. Lakes serve as the

435 views • 29 slides
Parallelizing a Black-Scholes Solver based on Finite Elements and Sparse Grids PDCoF @ IPDPS 2010

Parallelizing a Black-Scholes Solver based on Finite Elements and Sparse Grids PDCoF @ IPDPS 2010

Scientific Computing in Computer Science, Technische Universit at M unchen Parallelizing a Black-Scholes Solver based on Finite Elements and Sparse Grids PDCoF @ IPDPS 2010 Hans-Joachim Bungartz, Alexander Heinecke, Dirk Pfl uger , and

336 views • 18 slides
Black Holes at Accelerators: Problems and Perspectives Savina Maria, JINR, Dubna International

Black Holes at Accelerators: Problems and Perspectives Savina Maria, JINR, Dubna International

Black Holes at Accelerators: Problems and Perspectives Savina Maria, JINR, Dubna International Workshop "Bogoliubov readings", Dubna, 22 September 2010 1 1 Black Hole formation in TeV- Black Hole formation in TeV -scale gravity

883 views • 36 slides
Payload Already Inside: Data re-use for ROP Exploits Long Le longld@vnsecurity.net Black Hat

Payload Already Inside: Data re-use for ROP Exploits Long Le longld@vnsecurity.net Black Hat

Payload Already Inside: Data re-use for ROP Exploits Long Le longld@vnsecurity.net Black Hat USA Briefing 2010 About Me VNSECURITY founding member Capture-The-Flag player CLGT Team BH USA 2010 Payload already inside: data reuse

707 views • 44 slides
iPhone Privacy Nicolas Seriot Black Hat DC 2010 Arlington, Virginia, USA http://seriot.ch

iPhone Privacy Nicolas Seriot Black Hat DC 2010 Arlington, Virginia, USA http://seriot.ch

iPhone Privacy Nicolas Seriot Black Hat DC 2010 Arlington, Virginia, USA http://seriot.ch Twitter @nst021 Who am I? Nicolas Seriot , Switzerland HES Software Engineer Cocoa developer and iPhone programming trainer at Sen:te

978 views • 67 slides
Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II. The First Law of Black Hole Mechanics and Black Hole Entropy III. Dynamic and Thermodynamic Stability of Black Holes IV. Quantum Aspects of Black

1.74k views • 116 slides
Discovering Path MTU black holes in the Internet using RIPE Atlas Maikel de Boer Jeffrey Bosma

Discovering Path MTU black holes in the Internet using RIPE Atlas Maikel de Boer Jeffrey Bosma

Discovering Path MTU black holes in the Internet using RIPE Atlas Maikel de Boer Jeffrey Bosma 5 July 2012 Introduction Black holes A sphere of influence into which or from which communication or similar activity is precluded. ~

761 views • 31 slides
Constructing black holes and black hole microstates String theory and the fuzzball proposal Cl

Constructing black holes and black hole microstates String theory and the fuzzball proposal Cl

Introduction : black hole issues and entropy counting The fuzzball proposal Constructing three-charge supersymmetric solutions Non-BPS extremal black holes Conclusion and perspectives Constructing black holes and black hole microstates String

1.37k views • 95 slides
Housing Housing Counseli Counseling ng and and Other Oth er HUD HUD Pr Prog ograms ams

Housing Housing Counseli Counseling ng and and Other Oth er HUD HUD Pr Prog ograms ams

Housing Housing Counseli Counseling ng and and Other Oth er HUD HUD Pr Prog ograms ams Audio is only available by conference call Please call: (800) 260-0718 Participant Access Code: 450838 to join the conference call portion of the

629 views • 50 slides
Who do you Trust? The roles of certificates, certification authorities and the IGTF in Grid

Who do you Trust? The roles of certificates, certification authorities and the IGTF in Grid

Who do you Trust? The roles of certificates, certification authorities and the IGTF in Grid Computing T h e A m e r i c a s G r i d Policy Management Authority Prof. Vinod Rebello Instituto de Computao Universidade F ederal F

768 views • 18 slides
Certificate Retrieval from OpenLDAP The X.509 attribute Parsing Server (XPS)

Certificate Retrieval from OpenLDAP The X.509 attribute Parsing Server (XPS)

Certificate Retrieval from OpenLDAP The X.509 attribute Parsing Server (XPS) d.w.chadwick@salford.ac.uk The Problem PKI clients cannot search for specific X.509 attributes stored in LDAP directories, e.g. Find the encryption PKC for

667 views • 23 slides
Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal Signature Scheme, Cryptography in Practice: Random Number Odds and Ends on Public Key Crypto 2 Generation, Key Management Cryptography in Real Life 3

367 views • 14 slides
Academia Sinica Grid Computing Certification Authority (ASGCCA) C.C.Chang Academia Sinica

Academia Sinica Grid Computing Certification Authority (ASGCCA) C.C.Chang Academia Sinica

Academia Sinica Grid Computing Certification Authority (ASGCCA) C.C.Chang Academia Sinica Computing Centre Outline Introduction to ASGCC / ASGCCA Procedural Security Physical Security Technical Security Contact

214 views • 20 slides
Grid School Module 4: Grid Security 1 Typical Grid Scenario Resources Users 2 Requirements

Grid School Module 4: Grid Security 1 Typical Grid Scenario Resources Users 2 Requirements

Grid School Module 4: Grid Security 1 Typical Grid Scenario Resources Users 2 Requirements The users want to be able to communicate securely Three fundamental concepts (more on the following slides): Privacy - only invited to understand

484 views • 35 slides
Network Security: Public Key Infrastructure Guevara Noubir Northeastern University

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University

Network Security: Public Key Infrastructure Guevara Noubir Northeastern University noubir@ccs.neu.edu Network Security Slides adapted from Radia Perlmans slides Key Distribution - Secret Keys What if there are millions of users and

624 views • 14 slides
Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is

Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is

Best Practices in LDAP Security Andrew Findlay Skills 1st Ltd October 2011 What is "Security"? ISO/IEC 27000:2009 Information Security is... Confidentiality Integrity Availability And some other things Controls

236 views • 20 slides

More recommend