The most dangerous code in the world: Validating SSL certificates in non-browser software

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2012, Pages 38-49

  Georgiev, Martin ^a   Iyengar, Subodh ^b   Jana, Suman ^a   Anubhai, Rishita ^b   Boneh, Dan ^b   Shmatikov, Vitaly ^a  

^a UNIVERSITY OF TEXAS AT AUSTIN   (United States)

^b STANFORD UNIVERSITY   (United States)

Author keywords

HTTPS; Public key certificates; Public key infrastructure; Security vulnerabilities; SSL; TLS

Indexed keywords

HTTPS; PUBLIC KEY CERTIFICATES; PUBLIC KEY INFRASTRUCTURE; SECURITY VULNERABILITIES; SSL; TLS;

HTTP; JAVA PROGRAMMING LANGUAGE; LIBRARIES; MIDDLEWARE; ROBOTS; WEBSITES;

SECURITY OF DATA;

EID: 84869429339     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2382196.2382204     Document Type: Conference Paper

References (23)

1. https should check CN of x509 cert. https://issues.apache.org/jira/ browse/HTTPCLIENT-613.
2. D. Brumley and D. Boneh. Remote timing attacks are practical. In USENIX Security, 2003.
3. S. Chen, Z. Mao, Y.-M. Wang, and M. Zhang. Pretty-Bad-Proxy: An overlooked adversary in browsers' HTTPS deployments. In S&P, 2009.
4. S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel leaks in Web applications: A reality today, a challenge tomorrow. In S&P, 2010.
5. Comodo report of incident. http://www.comodo.com/Comodo-Fraud-Incident- 2011-03-23.html, 2011.
6. Diginotar issues dodgy SSL certificates for Google services after break-in. http://www.theinquirer.net/inquirer/news/2105321/diginotar-issues- dodgy-ssl-certificates-google-services-break, 2011.
7. P. Eckersley and J. Burns. An observatory for the SSLiverse. In DEFCON, 2010.
8. C. Evans and C. Palmer. Certificate pinning extension for HSTS. http://www.ietf.org/mail-archive/web/websec/current/pdfnSTRd9kYcY.pdf, 2011.
9. Fiddler - Web debugging proxy. http://fiddler2.com/fiddler2/.
10. D. Kaminsky, M. Patterson, and L. Sassaman. PKI layer cake: new collision attacks against the global X.509 infrastructure. In FC, 2010.
11. Moxie Marlinspike. IE SSL vulnerability. http://www.thoughtcrime.org/ie- ssl-chain.txt, 2002.
12. Moxie Marlinspike. Null prefix attacks against SSL/TLS certificates. http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf, 2009.
13. Internet X.509 public key infrastructure certificate policy and certification practices framework. http://www.ietf.org/rfc/rfc2527.txt, 1999.
14. HTTP over TLS. http://www.ietf.org/rfc/rfc2818.txt, 2000.
15. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. http://tools.ietf.org/html/rfc5280, 2008.
16. The Secure Sockets Layer (SSL) protocol version 3.0. http://tools.ietf. org/html/rfc6101, 2011.
17. Representation and verification of domain-based application service identity within Internet public key infrastructure using X.509 (PKIX) certificates in the context of Transport Layer Security (TLS). http://tools.ietf.org/html/rfc6125, 2011.
18. M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D. Osvik, and B. Weger. Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In CRYPTO, 2009.
19. Q. Sun, D. Simon, Y.-M. Wang, W. Russell, V. Padmanabhan, and L. Qiu. Statistical identification of encrypted Web browsing traffic. In S&P, 2002.
20. CVE-2009-4831. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009- 4831, 2009.
21. J. Viega and M. Messier. Secure Programming Cookbook for C and C++. O'Reilly Media, 2007.
22. N. Vratonjic, J. Freudiger, V. Bindschaedler, and J.-P. Hubaux. The inconvenient truth about Web certificates. In WEIS, 2011.
23. R. Wang, S. Chen, X. Wang, and S. Qadeer. How to shop for free online - Security analysis of cashier-as-a-service based Web stores. In S&P, 2011.