when https meets cdn
play

When HTTPS Meets CDN A Case of Authentication in Delegated Service - PowerPoint PPT Presentation

Dec 20, 2023 •12 likes •192 views

When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan, H., Li, K., Wan, T., & Wu, J 2014 IEEE Symposium on Security and Privacy Web Traffic Needs Security! Goals = CIA triad Confidentiality

  1. When HTTPS Meets CDN A Case of Authentication in Delegated Service Liang, J., Jiang, J., Duan, H., Li, K., Wan, T., & Wu, J 2014 IEEE Symposium on Security and Privacy

  2. Web Traffic Needs Security! Goals = CIA triad Confidentiality Integrity Availability

  3. Web Traffic Needs Security! Goals = CIA triad HTTPS end-to-end Confidentiality Integrity Availability

  4. Web Traffic Needs Security! Goals = CIA triad Confidentiality CDN Integrity CDN Availability CDN Fast → Distribution Reliable → Firewalls, DDoS Protection

  5. When CDNs meet HTTPS HTTPS provides end-to-end security CDN services 1) Fast Availability → Distribution: End-to-many-ends 2) Reliable Availability → Protection: End-to-CDN-to-end

  6. CDN Mechanisms - URL Rewriting Main HTML on bank.com, bulk static content on cdn.com Doesn’t violate HTTPS end-to-end Doesn’t provide protection services GET: bank.com/ Update resources GET: CDN cdn.com/resources

  7. CDN Mechanisms - DNS routing bank.com resolves to IP address of CDN server 1) CNAME record that maps bank.com → bank.cdn.com 2) CDN is the authoritative Name Server (NS) for bank.com Fetch/update GET: bank.com/ content CDN

  8. Making HTTPS Work w/ DNS routing Certificate = public key + common name (CN) + signature chain Custom certificate Give CDN bank.com’s certificate + private key Increased attack surface Expensive CA revocation

  9. Making HTTPS Work w/ DNS routing Shared certificate cdn.com cert vouches for bank.com Subject Alternate Name (SAN) extension Loses bank.com cert features - i.e. EV Expensive CA revocation

  10. CDN Mechanisms in Practice Most CDNs use CNAME DNS routing 68% of certs are invalid! Custom and shared certs are popular

  11. Case study: CA Cert Revocation Create, then remove site with Incapsula CDN Incapsula quickly updates shared cert to add, then remove SAN Globalsign does not revoke old cert with old SAN Broader study of 1865 shared cert updates across 5 CDNS No old certs revoked over the course of 3 months!

  12. Case Study: Backend Connection Backend Frontend CDN GET: bank.com/ Fetch/update content Tested sites behind 5 CDNs - no valid HTTPS!

  13. Solution: Name Constraint Certificate Let bank.com issue its own certificates to CDN!

  14. Solution: Name Constraint Certificate Let bank.com issue its own certificates to CDN! Issues: 1) Improper enforcement / insecure protocol 2) High operational overhead 3) CA disincentive 4) Rare adoption

  15. Solution: DANE w/ delegation semantics DANE = DNS-based Authentication of Named Entities TLSA record that binds domain to a certificate Modification: multiple TLSA records for CDNs Insight: trust DNS (instead of cert) for domain:public-key mapping Makes revocation trivial - change DNS response (and expire caches)

  16. DANE in Practice

  17. DANE in Practice Implemented Firefox PoC Overhead - additional, large DNS request for TLSA record Potential amplification attack vector

  18. Discussion Contributions of the paper? Why were no shared certs revoked within 3 months? Whose fault? What is a better solution - Name constraint certificates or DANE? Or a third option?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

where where the the old old fronti frontier meets meets the the new fronti new frontier LFC

where where the the old old fronti frontier meets meets the the new fronti new frontier LFC

where where the the old old fronti frontier meets meets the the new fronti new frontier LFC STATUS BRIEFING JULY 13, 2011 Christine Anderson Executive Director New Mexico Spaceport Authority 1 Agenda Overview Capital Budget

682 views • 39 slides
QCD Meets Gravity 2019 Welcome! If you have any question please ask me or Cristina. QCD Meets

QCD Meets Gravity 2019 Welcome! If you have any question please ask me or Cristina. QCD Meets

QCD Meets Gravity 2019 Welcome! If you have any question please ask me or Cristina. QCD Meets Gravity 2019 5 th in the series! Each year it grows. Developments: Reformulation of GR via double copy to make progress on various topics.

437 views • 5 slides
Where eco-tourism meets business park.. Where economic opportunity meets people! Westmead

Where eco-tourism meets business park.. Where economic opportunity meets people! Westmead

Where Inner West meets Outer West.. Where eco-tourism meets business park.. Where economic opportunity meets people! Westmead Industrial Area Tshelimnyama Tshelimnyama Extension of Giba Business Estate Informal Settlement Area GIBA

489 views • 35 slides
When When When When Stewardship Stewardship Stewardship Stewardship Meets Meets

When When When When Stewardship Stewardship Stewardship Stewardship Meets Meets

When When When When Stewardship Stewardship Stewardship Stewardship Meets Meets Cultivation Cultivation Cultivation Cultivation Maureen D. Donnelly Director, Stewardship and Donor Relations, Boston University Director Association of

220 views • 19 slides
VOCABULARY FOR ENROLLMENT Block: M : Meets ts e every o oth ther d day Semester: M :

VOCABULARY FOR ENROLLMENT Block: M : Meets ts e every o oth ther d day Semester: M :

VOCABULARY FOR ENROLLMENT Block: M : Meets ts e every o oth ther d day Semester: M : Meets ts e eith ther 1 1st o t or 2 2nd s semester Year l long: M : Meets ts e enti tire y year th gra Advisory: C : Class th

469 views • 24 slides
Computer Science Principles For The Win Brook Osborne and Pat Yongpradit 1. CS P Meets the Needs

Computer Science Principles For The Win Brook Osborne and Pat Yongpradit 1. CS P Meets the Needs

Computer Science Principles For The Win Brook Osborne and Pat Yongpradit 1. CS P Meets the Needs 2. The Case for Credit 3. Go on a Treasure Hunt 4. Future: Pilots and Prep 5. Questions Agenda CS Principles Meets the Needs 1 in 10 Schools

936 views • 46 slides
https://bit.ly/3pptcRS 3 4 https://bit.ly/2UiBgWq Vase Face Face https://bit.ly/3luge2Q

https://bit.ly/3pptcRS 3 4 https://bit.ly/2UiBgWq Vase Face Face https://bit.ly/3luge2Q

https://bit.ly/3pptcRS 3 4 https://bit.ly/2UiBgWq Vase Face Face https://bit.ly/3luge2Q Young Lady Old Woman https://bit.ly/3krpGmu https://bit.ly/35qQMps Perspective An attitude toward or point of view of something Perception A

791 views • 13 slides
Notes on exact meets and joins R. N. Ball, J. Picado and A. Pultr 1 Exact meets and joins.

Notes on exact meets and joins R. N. Ball, J. Picado and A. Pultr 1 Exact meets and joins.

. Notes on exact meets and joins R. N. Ball, J. Picado and A. Pultr 1 Exact meets and joins. Recall the following operations a b = { x | x a b } and a b = { x | x a b } . An element b is the exact meet of a subset A of

665 views • 23 slides
At the crossroads where healthcare At the crossroads where healthcare meets meets education

At the crossroads where healthcare At the crossroads where healthcare meets meets education

At the crossroads where healthcare At the crossroads where healthcare meets meets education education When a healthcare futurist and an educational When a healthcare transformer and designer decide to work together an educational

239 views • 9 slides
VOCABULARY FOR ENROLLMENT Block: ck: Meets ts every ot othe her day Seme mester:

VOCABULARY FOR ENROLLMENT Block: ck: Meets ts every ot othe her day Seme mester:

VOCABULARY FOR ENROLLMENT Block: ck: Meets ts every ot othe her day Seme mester: er: Meet ets eith ther er 1st st or 2nd d semest semester er Year long: g: Meets ts entire tire year ar Advisor sory: y:

760 views • 34 slides
When In Network Processing Meets Time: When In-Network Processing Meets Time: Complexity and

When In Network Processing Meets Time: When In-Network Processing Meets Time: Complexity and

When In Network Processing Meets Time: When In-Network Processing Meets Time: Complexity and Effects of Joint Optimization in Wireless Sensor Networks Department of Computer Science Wayne State University Department of Computer Science, Wayne

617 views • 23 slides
What goes on behind that Visualisation Its more than meets the eye So what does this mean? The

What goes on behind that Visualisation Its more than meets the eye So what does this mean? The

What goes on behind that Visualisation Its more than meets the eye So what does this mean? The most eye catching or ple leasing visualisation ..gets the most attention How do we bala lance this How can we trust what we see What happens behind

454 views • 20 slides
Sensor Networks Where Theory Meets Practice Roger Wattenhofer ETH Zurich Distributed

Sensor Networks Where Theory Meets Practice Roger Wattenhofer ETH Zurich Distributed

Sensor Networks Where Theory Meets Practice Roger Wattenhofer ETH Zurich Distributed Computing www.disco.ethz.ch Theory Meets Practice SenSys OSDI HotNets Multimedia Ubicomp PODC STOC Mobicom FOCS SIGCOMM ICALP SPAA SODA EC

950 views • 67 slides
SSL, X.509, HTTPS How to configure your HTTPS server Hanno Bck, http://hboeck.de/ HTTPS

SSL, X.509, HTTPS How to configure your HTTPS server Hanno Bck, http://hboeck.de/ HTTPS

SSL, X.509, HTTPS How to configure your HTTPS server Hanno Bck, http://hboeck.de/ HTTPS It's complex Two protocols involving crypto X.509 (for the certificates) and SSL/TLS (for the data transport) Many things can go wrong

537 views • 22 slides
R meets JEdit ... yet another R editor ? Romain Fran cois Independent R Consultant

R meets JEdit ... yet another R editor ? Romain Fran cois Independent R Consultant

R meets JEdit ... yet another R editor ? Romain Fran cois Independent R Consultant francoisromain@free.fr R meets Jedit About me Romain Fran cois Experience with R Background features tour Tree Display of code Error/Warning list

282 views • 13 slides
Factorization Meets the Neighborhood: a Multifaceted Collaborative Filtering Model Yehuda Koren

Factorization Meets the Neighborhood: a Multifaceted Collaborative Filtering Model Yehuda Koren

Factorization Meets the Neighborhood: a Multifaceted Collaborative Filtering Model Yehuda Koren AT & T Labs Research 2008 Present by Hong Ge Sheng Qin Info about paper & data-set Factorization Meets the Neighborhood: a

594 views • 24 slides
Assertion-Carrying Certificates Waqar Aqeel, Zachary Hanif, James Larisch, Olamide Omolola,

Assertion-Carrying Certificates Waqar Aqeel, Zachary Hanif, James Larisch, Olamide Omolola,

Assertion-Carrying Certificates Waqar Aqeel, Zachary Hanif, James Larisch, Olamide Omolola, Taejoong Chung, Dave Levin, Bruce Maggs, Alan Mislove, Bryan Parno, Christo Wilson The Public Key Infrastructure is how users know with whom they

157 views • 14 slides
Intro to HTML 5, Canvas, WebGL CSCI 470: Web Science Keith Vertanen Overview History of

Intro to HTML 5, Canvas, WebGL CSCI 470: Web Science Keith Vertanen Overview History of

Intro to HTML 5, Canvas, WebGL CSCI 470: Web Science Keith Vertanen Overview History of HTML HTML5 Feature overview Browser support Creating an HTML5 page Canvas 2D 2D drawing on the client Does many things that

492 views • 22 slides
COMP9313: Big Data Management Introduction to Big Data Management What is big data? Tweeted by

COMP9313: Big Data Management Introduction to Big Data Management What is big data? Tweeted by

COMP9313: Big Data Management Introduction to Big Data Management What is big data? Tweeted by Prof. Dan Ariely, Duke University 2 What is big data? No standard definition! Wikipedia: Big data is a field that treats ways to

1.47k views • 53 slides
Large Scale Graph Analysis Erik Saule HPC Lab Biomedical Informatics The Ohio State University

Large Scale Graph Analysis Erik Saule HPC Lab Biomedical Informatics The Ohio State University

Large Scale Graph Analysis Erik Saule HPC Lab Biomedical Informatics The Ohio State University March 11, 2013 UMass Boston Ohio State University, Biomedical Informatics Large Scale Graph Analysis Erik Saule :: 1 / 43 HPC Lab

1.32k views • 74 slides
An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS

An Evaluation and Certification An Evaluation and Certification Scheme for MILS Scheme for MILS Rance DeLong* Rance DeLong* The Open Group The Open Group Layered Assurance Workshop Layered Assurance Workshop December 2010 December 2010 1

355 views • 11 slides
Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska

Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska

CSE 484 / CSE M 584: Computer Security and Privacy Crypto Meets Web Security [Finish Asymmetric Crypto; Web Certificates] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi

849 views • 25 slides
Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner

Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

848 views • 29 slides
Avoiding Useless Rules Automatically Matt Kaufmann May 29, 2020 1/8 B ACKGROUND : A CCUMULATED -

Avoiding Useless Rules Automatically Matt Kaufmann May 29, 2020 1/8 B ACKGROUND : A CCUMULATED -

Avoiding Useless Rules Automatically Matt Kaufmann May 29, 2020 1/8 B ACKGROUND : A CCUMULATED - PERSISTENCE The useless runes tool is based on accumulated-persistence. Time for a demo .... 2/8 D OCUMENTATION See :DOC useless-runes in

370 views • 20 slides

More recommend