SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2013, Pages 511-525

  Clark, Jeremy ^a   Van Oorschot, Paul C ^a  

^a CARLETON UNIVERSITY   (Canada)

Author keywords

browser trust model; certificates; SSL; usability

Indexed keywords

CERTIFICATE AUTHORITY; CERTIFICATES; COMPARATIVE EVALUATIONS; SECURE COMMUNICATIONS; SECURITY ISSUES; SSL; TRUST MODELS; USABILITY;

SECURITY OF DATA;

HTTP;

EID: 84881218966     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2013.41     Document Type: Conference Paper

References (112)

1. RFC 5746: Transport layer security (TLS) renegotiation indication extension, 2010.
2. RFC 6066: Transport layer security (TLS) extensions: Extension definitions, 2011.
3. RFC 6698: The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA, 2012.
4. Internet-Draft: Storing service security requirements in the domain name system, 2006.
5. Internet-Draft: Maximum version TLS cipher suites, 2011.
6. Internet-Draft: Certificate transparency, 2012.
7. Internet-Draft: DNS certification authority authorization (CAA) resource record, 2012.
8. Internet-Draft: HTTP strict transport security (HSTS), 2012.
9. Internet-Draft: OmniBroker protocol, 2012.
10. Internet-Draft: Public key pinning extension for HTTP, 2012.
11. Internet-Draft: Sovereign key cryptography for internet domains, 2012.
12. Internet-Draft: Trust assertions for certificate keys (TACK), 2012.
13. O. Aciiçmez, W. Schindler, and Ç. K. Koç. Improving Brumley and Boneh timing attack on unprotected SSL implementations. In CCS, 2005.
14. A. Adelsbach, S. Gajek, and J. Schwenk. Visual spoofing of SSL protected web sites and effective countermeasures. In ISPEC, 2005.
15. D. Ahmad. Two years of broken crypto. IEEE Security and Privacy, 6(5), 2008.
16. N. J. AlFardan and K. G. Paterson. Lucky thirteen: Breaking the TLS and DTLS record protocols. In IEEE Symposium on Security and Privacy, 2013.
17. M. Alicherry and A. D. Keromytis. Doublecheck: Multi-path verification against man-in-the-middle attacks. In ISCC, 2009.
18. B. Amann, M. Vallentin, S. Hall, and R. Sommer. Revisiting SSL: A large-scale study of the internet's most trusted protocol. Technical report, ICSI, 2012.
19. C. Amrutkar, P. Traynor, and P. van Oorschot. Measuring SSL indicators on mobile browsers: Extended life or end of the road? In ISC, 2012.
20. G. Bard. The vulnerability of SSL to chosen-plaintext attack. Technical Report 2004/111, IACR ePrint, 2004.
21. G. V. Bard. A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL. In SECRYPT, 2006.
22. E. Barker and A. Roginsky. Transitions: Recommendation for transitioning the use of cryptographic algorithms and key lengths. Special Publication 800-131A, NIST, 2011.
23. M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of symmetric encryption. In FOCS, 1997.
24. L. Bello and M. Bertachhini. Predictable PRNG in the vulnerable Debian OpenSSL package: the what and the how. In DEFCON 16, 2008.
25. S. M. Bellovin and E. Rescorla. Deploying a new hash algorithm. In NDSS, 2006.
26. K. Bhargavan, C. Fournet, R. Corin, and E. Zalinescu. Cryptographically verified implementations for TLS. In CCS, 2008.
27. D. Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In CRYPTO, 1998.
28. J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In IEEE Symp. Security & Privacy, 2012.
29. B. B. Brumley and N. Tuveri. Remote timing attacks are still practical. In ESORICS, 2011.
30. D. Brumley and D. Boneh. Remote timing attacks are practical. In USENIX Security, 2003.
31. B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux. Password interception in a SSL/TSL channel. In CRYPTO, 2003.
32. J. Clark and P. C. van Oorschot. SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements. http://www.scs.carleton.ca/research/tech-reports/index.php?abstract=TR-13-01, Carleton University, 2013.
33. I. Dacosta, M. Ahamad, and P. Traynor. Trust no one else: Detecting MITM attacks against SSL/TLS without third-parties. In ESORICS, 2012.
34. R. Dhamija and J. Tygar. The battle against phishing: Dynamic security skins. In SOUPS, 2005.
35. R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In CHI, 2006.
36. M. Dietz, A. Czeskis, D. Balfanz, and D. S. Wallach. Origin-bound certificates: A fresh approach to strong client authentication for the web. In USENIX Security, 2012.
37. H. Dobbertin. Crytanalysis of MD5 compress. In EUROCRYPT (Rump Session Talk), 1996.
38. T. Duong and J. Rizzo. Here come the ⊕ ninjas. In Ekoparty, 2011.
39. P. Eckersley and J. Burns. Is the SSLiverse a safe place? In Chaos Communication Congress, 2010.
40. Y. Elley, A. Anderson, S. Hanna, S. Mullan, R. Perlman, and S. Proctor. Building certification paths: Forward vs. reverse. In NDSS, 2001.
41. C. Ellison. Ceremony design and analysis. Technical Report 2007/399, IACR ePrint, 2007.
42. S. Fahl, M. Harbach, T. Muders, L. Baumgartner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In CCS, 2012.
43. A. P. Felt and D. Wagner. Phishing on mobile devices. In USEC, 2007.
44. E. Felten, D. Balfanz, D. Dean, and D. S. Wallach. Web spoofing: An internet con game. In NISSC, 1997.
45. B. Fox and B. LaMacchia. Certificate revocation: Mechanics and meaning. In Financial Cryptography, 1997.
46. B. Friedman, D. Hurley, D. C. Howe, E. Felten, and H. Nissenbaum. Users' conceptions of web security: A comparative study (short talk). In CHI, 2002.
47. S. Gajek, M. Manulis, O. Pereira, A.-R. Sadeghi, and J. Schwenk. Universally composable security analysis of TLS. In ProvSec, 2008.
48. S. Gajek, M. Manulis, A.-R. Sadeghi, and J. Schwenk. Provably secure browser-based user-aware mutual authentication over TLS. In ASIACCS, 2008.
49. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, V. Shmatikov, and D. Boneh. The most dangerous code in the world: validating SSL certificates in non-browser software. In CCS, 2012.
50. F. Giesen, F. Kohlar, and D. Stebila. On the security of TLS renegotiation. Technical Report 2012/630, IACR ePrint, 2012.
51. I. Goldberg and D. Wagner. Randomness and the Netscape browser. Dr. Dobb's Journal, 1996.
52. C. He, M. Sundararajan, A. Datta, A. Derek, and J. C. Mitchell. A modular correctness proof of IEEE 802.11i and TLS. In CCS, 2005.
53. N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In USENIX Security, 2012.
54. R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL landscape: A thorough analysis of the X.509 PKI using active and passive measurements. In IMC, 2011.
55. C. Jackson and A. Barth. Beware of finer-grained origins. In W2SP, 2008.
56. C. Jackson and A. Barth. ForceHTTPS: Protecting high-security web sites from network attacks. In WWW, 2008.
57. C. Jackson, D. R. Simon, D. S. Tan, and A. Barth. An evaluation of extended validation and picture-in-picture phishing attacks. In USEC, 2007.
58. T. Jager, F. Kohlar, S. Schäge, and J. Schwenk. On the security of TLS-DHE in the standard model. In CRYPTO, 2012.
59. J. Jarmoc. SSL/TLS interception proxies and transitive trust. In Black Hat Europe, 2012.
60. J. Jonsson and B. S. Kaliski Jr. On the security of RSA encryption in TLS. In CRYPTO, 2002.
61. D. Kaminsky. Black Ops 2008: it's the end of the cache as we know it. In Black Hat USA, 2008.
62. D. Kaminsky, M. L. Patterson, and L. Sassaman. PKI layer cake: New collision attacks against the global X.509 infrastructure. In Financial Cryptography, 2010.
63. C. Karlof, J. Tygar, and D. Wagner. Conditioned-safe ceremonies and a user study of an appplication to web authentication. In NDSS, 2009.
64. J. Kelsey. Compression and information leakage of plaintext. In FSE, 2002.
65. H. Krawczyk. The order of encryption and authentication for protecting communications (or: how secure is SSL?). In CRYPTO, 2001.
66. H. Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In CRYPTO, 2010.
67. A. Langley. Beyond the basics of HTTPS serving. USENIX ;Login:,Dec 2011.
68. H. K. Lee, T. Malkin, and E. Nahum. Cryptographic strength of SSL/TLS servers: Current and recent practices. In IMC, 2007.
69. S. Lefranc and D. Naccache. Cut-&-paste attacks with JAVA. In ICISC, 2002.
70. A. K. Lenstra, J. P. Hughes, M. Augier, J. W. Bos, T. Kleinjung, and C. Wachter. Public keys. In CRYPTO, 2012.
71. M. Marlinspike. More tricks for defeating SSL in practice. In DEFCON 17, 2009.
72. M. Marlinspike. New tricks for defeating SSL in practice. In Black Hat DC, 2009.
73. M. Marlinspike. SSL and the future of authenticity. In Black Hat USA, 2011.
74. N. Mavrogiannopoulos, F. Vercauteren, V. Velichkov, and B. Preneel. A cross-protocol attack on the TLS protocol. In CCS, 2012.
75. J. C. Mitchell, V. Shmatikov, and U. Stern. Finite-state analysis of SSL 3.0. In USENIX Security, 1998.
76. P. Morrissey, N. P. Smart, and B. Warinschi. A modular security analysis of the TLS handshake protocol. In ASIACRYPT, 2008.
77. M. Myers. Revocation: Options and challenges. In Financial Cryptography, 1998.
78. R. Oppliger, R. Hauser, and D. Basin. SSL/TLS session-aware user authentication. Computer Communications, 29(12), 2006.
79. A. Ornaghi and M. Valleri. Man in the middle attacks: demos. In Black Hat USA, 2003.
80. A. Ozment, S. E. Schecter, and R. Dhamija. Web sites should not need to rely on users to secure communications. In W3C Workshop on Usability and Transparency of Web Authentication, 2006.
81. B. Parno, C. Kuo, and A. Perrig. Phoolproof phishing prevention. In Financial Cryptography, 2006.
82. L. C. Paulson. Inductive analysis of the internet protocol TLS. ACM TISSEC, 1999.
83. K. Radke, C. Boyd, J. G. Nieto, and M. Brereton. Ceremony analysis: Strengths and weaknesses. In IFIP SEC, 2011.
84. E. Rescorla. SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, 2001.
85. E. Rescorla. Stone knives and bear skins: Why does the internet still run on pre-historic cryptography? In INDOCRYPT (Invited talk), 2006.
86. I. Ristic. Internet SSL survey 2010. In Black Hat USA, 2010.
87. I. Ristic and M. Small. A study of what really breaks SSL. In Hack in the Box, 2011.
88. R. Rivest. Can we eliminate certificate revocation lists? In Financial Cryptography, 1998.
89. J. Rizzo and T. Duong. The crime attack. In Ekoparty, 2012.
90. S. E. Schecter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In IEEE Symposium on Security and Privacy, 2007.
91. D. Shin and R. Lopes. An empirical study of visual security cues to prevent the SSLstripping attack. In ACSAC, 2011.
92. J. Sobey, R. Biddle, P. van Oorschot, and A. S. Patrick. Exploring user reactions to new browser cues for extended validation certificates. In ESORICS, 2008.
93. C. Soghoian and S. Stamm. Certified lies: Detecting and defeating government interception attacks against SSL. In Financial Cryptography, 2011.
94. S. Son and V. Shmatikov. The hitchhiker's guide to DNS cache poisoning. In SECURECOMM, 2010.
95. A. Sotirakopoulos, K. Hawkey, and K. Beznosov. On the challenges in usable security lab studies: Lessons learned from replicating a study on SSL warnings. In SOUPS, 2011.
96. A. Sotirov and M. Zusman. Breaking the security myths of extended validation SSL certificates. In Black Hat USA, 2009.
97. D. Stebila. Reinforcing bad behaviour: the misuse of security indicators on popular websites. In OZCHI, 2010.
98. M. Stevens, A. Lenstra, and B. de Weger. Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In EUROCRYPT, 2007.
99. M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D. A. Osvik, and B. de Weger. Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In CRYPTO, 2009.
100. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying wolf: An empirical study of SSL warning effectiveness. In USENIX Security, 2009.
101. E. Topalovic, B. Saeta, L.-S. Huang, C. Jackson, and D. Boneh. Toward short-lived certificates. In W2SP, 2012.
102. P. C. van Oorschot and M. J. Wiener. Parallel collision search with cryptanalytic applications. J. Cryptology, 12:1-28, 1999.
103. S. Vaudenay. Security flaws induced by CBC padding: applications to SSL, IPSEC, WTLS, . . . . In EUROCRYPT, 2002.
104. N. Vratonjic, J. Freudiger, V. Bindschaedler, and J.-P. Hubaux. The inconvenient truth about web certificates. In WEIS, 2011.
105. D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In USENIX Workshop on Electronic Commerce, 1996.
106. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal OS construction of the Gazelle web browser. In USENIX Security, 2009.
107. D. Wendlandt, D. G. Andersen, and A. Perrig. Perspectives: Improving SSH-style host authentication with multi-path probing. In USENIX Annual Tech, 2008.
108. T. Whalen and K. M. Inkpen. Gathering evidence: Use of visual security cues in web browsers. In Graphics Interface, 2005.
109. Z. Ye, S. Smith, and D. Anthony. Trusted paths for browsers. ACM TISSEC, 8(2), 2005.
110. S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In IMC, 2009.
111. M. Zusman. Criminal charges are not pursued: Hacking PKI. In DEFCON 17, 2009.
112. M. Zusman and A. Sotirov. Sub-prime PKI: Attacking extended validation SSL. Technical report, Black Hat Security Briefings, 2009.