Analysis of SSL certificate reissues and revocations in the wake of Heartbleed

Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Volumn , Issue , 2014, Pages 489-502

  Zhang, Liang ^a   Choffnes, David ^a   Levin, Dave ^b   Dumitraş, Tudor ^b   Mislove, Alan ^a   Schulman, Aaron ^c   Wilson, Christo ^a  

^a NORTHEASTERN UNIVERSITY   (United States)

^b UNIVERSITY OF MARYLAND   (United States)

^c STANFORD UNIVERSITY   (United States)

Author keywords

Certificates; Extended validation; Heartbleed; HTTPS; Reissue; Revocation; SSL; TLS; X.509

Indexed keywords

HTTP; THALLIUM;

CERTIFICATES; EXTENDED VALIDATION; HEARTBLEED; HTTPS; REISSUE; REVOCATION; X.509;

WAKES;

EID: 84910157044     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2663716.2663758     Document Type: Conference Paper

References (37)

1. D. E. 3rd. Transport Layer Security (TLS) Extensions: Extension Definitions, Jan. 2011. IETF RFC-6066.
2. Alexa Top 1 Million Domains. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.
3. E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. Recommendation for Key Management { Part 1: General (Revision 3), 2012. NIST Special Publication 800-57.
4. Botan SSL Library. http://botan.randombit.net.
5. CERT Vulnerability Note VU#720951: OpenSSL TLS heartbeat extension read overow discloses sensitive information. http://www.kb.cert.org/vuls/id/720951.
6. D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. IETF RFC-5280, May 2008.
7. R. Duncan. How certificate revocation (doesn't) work in practice, 2013. http://news.netcraft.com/archives/2013/05/13/how-certificate-revocation-doesnt-work-in-practice.html.
8. Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS certificate ecosystem. In ACM Internet Measurement Conference (IMC), 2013.
9. Z. Durumeric, J. Kasten, F. Li, J. Amann, J. Beekman, M. Payer, N. Weaver, J. A. Halderman, V. Paxson, and M. Bailey. The matter of Heartbleed. In ACM Internet Measurement Conference (IMC), 2014.
10. Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security Symposium, 2013.
11. P. Eckersley and J. Burns. An observatory for the SSLiverse. In Defcon 18, 2010. https://www.eff.org/files/DefconSSLiverse.pdf.
12. F. F. Elwailly, C. Gentry, and Z. Ramzan. QuasiModo: Efficient certificate validation and revocation. In Public Key Cryptography (PKC), 2004.
13. P. Evans. Heartbleed bug: RCMP asked Revenue Canada to delay news of SIN thefts, 2014. http://www.cbc.ca/news/business/heartbleed-bug-rcmp-asked-revenue-canada-to-delay-news-of-sin-thefts-1.2609192.
14. Faketime library. http://www.code-wizards.com/projects/libfaketime/.
15. B. Grubb. Heartbleed disclosure timeline: Who knew what and when, 2014. http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html.
16. N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman. Mining your Ps and Qs: Detection of widespread weak keys. In USENIX Security Symposium, 2012.
17. R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL landscape { A thorough analysis of the X.509 PKI using active and passive measurements. In ACM Internet Measurement Conference (IMC), 2011.
18. Revocation doesn't work. https://www.imperialviolet.org/2011/03/18/revocation.html.
19. S. Kornexl, V. Paxson, H. Dreger, A. Feldmann, and R. Sommer. Building a time machine for eficient recording and retrieval of high-volume network trafic. In ACM Internet Measurement Conference (IMC), 2005.
20. Mac OS X 10.9.2 Root Certificates. http://support.apple.com/kb/HT6005.
21. S. Micali. NOVOMODO: Scalable certificate validation and simplified PKI management. In PKI Research Workshop, 2002.
22. P. Mutton. Half a million widely trusted websites vulnerable to heartbleed bug, 2014. http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html.
23. M. Naor and K. Nissim. Certificate revocation and certificate update. In USENIX Security Symposium, 1998.
24. OpenSSL Project. https://www.openssl.org.
25. T. Ramos. The laws of vulnerabilities. In RSA Conference, 2006. http://www.qualys.com/docs/Laws-Presentation.pdf.
26. Rapid7 SSL Certificate Scans. https://scans.io/study/sonar.ssl.
27. E. Rescorla. Security holes... Who cares? In USENIX Security Symposium, 2003.
28. R. L. Rivest. Can we eliminate certificate revocation lists? In Financial Cryptography (FC), 1998.
29. S. Santesson, M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP, June 2013. IETF RFC-6960.
30. R. Seggelmann, M. Tuexen, and M. Williams. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension, Feb. 2012. IETF RFC-6520.
31. N. Sullivan. The Heartbleed Aftermath: All CloudFlare certificates revoked and reissued, 2014. http://blog.cloudflare.com/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued.
32. N. Sullivan. The Results of the CloudFlare Challenge, 2014. http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge.
33. The GnuTLS Transport Layer Security Library. http://www.gnutls.org.
34. E. Topalovic, B. Saeta, L.-S. Huang, C. Jackson, and D. Boneh. Toward short-lived certificates. In Web 2.0 Security & Privacy (W2SP), 2012.
35. S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In ACM Internet Measurement Conference (IMC), 2009.
36. P. Zheng. Tradeoffs in certificate revocation schemes. In ACM Computer Communication Review (CCR), 2013.
37. ZMap Vulnerable Hosts. https://zmap.io/heartbleed/vulnerable.html.