Analyzing forged SSL certificates in the wild

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2014, Pages 83-97

  Huang, Lin Shung ^a   Rice, Alex ^b   Ellingsen, Erling ^b   Jackson, Collin ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b FACEBOOK   (United States)

Author keywords

certificates; man in the middle attack; SSL

Indexed keywords

COMPUTER VIRUSES; WEBSITES;

ANTIVIRUS SOFTWARES; CERTIFICATES; CONTENT FILTER; FACEBOOK; MAN IN THE MIDDLE ATTACKS; REAL-WORLD; SSL CERTIFICATES;

NETWORK SECURITY;

EID: 84914156123     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2014.13     Document Type: Conference Paper

References (54)

1. A. O. Freier, P. Karlton, and P. C. Kocher, "The Secure Sockets Layer (SSL) Protocol Version 3.0," RFC 6101 (Historic), Internet Engineering Task Force, Aug. 2011.
2. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2," RFC 5246 (Proposed Standard), Internet Engineering Task Force, Aug. 2008.
3. D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile," RFC 5280 (Proposed Standard), Internet Engineering Task Force, May 2008.
4. Electronic Frontier Foundation, "The EFF SSL Observatory," https://www.eff.org/observatory.
5. VASCO, "Digi Notar reports security incident," http://www.vasco.com/company/about vasco/press room/news archive/2011/news diginotar reports security incident.aspx, Aug. 2011.
6. Comodo, "Comodo Report of Incident - Comodo detected and thwarted an intrusion on 26-MAR-2011," http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html, Mar. 2011.
7. TURKTRUST, "Public announcements," http://turktrust.com.tr/en/kamuoyu-aciklamasi-en.html, Jan. 2013.
8. H. Adkins, "An update on attempted man-in-the-middle attacks," http://googleonlinesecurity.blogspot.com/2011/08/update-on-attemptedman-in-middle.html.
9. C. Soghoian and S. Stamm, "Certified lies: detecting and defeating government interception attacks against SSL," in Proceedings of the 15th International Conference on Financial Cryptography and Data Security, 2011.
10. S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer, "The emperor's new security indicators," in Proceedings of the IEEE Symposium on Security and Privacy, 2007.
11. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor, "Crying wolf: an empirical study of SSL warning effectiveness," in Proceedings of the 18th USENIX Security Symposium, 2009.
12. D. Akhawe and A. P. Felt, "Alice in warningland: A large-scale field study of browser security warning effectiveness," in Proceedings of the 22nd USENIX Security Symposium, 2013.
13. A. P. Felt, H. Almuhimedi, S. Consolvo, and R. W. Reeder, "Experimenting at scale with Google Chrome's SSL warning," in Proceedings of the ACM Conference on Human Factors in Computing Systems, 2014.
14. P. Eckersley, "A Syrian man-in-the-middle attack against Facebook," https://www.eff.org/deeplinks/2011/05/syrian-man-middle-againstfacebook, May 2011.
15. R. Holz, L. Braun, N. Kammenhuber, and G. Carle, "The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements," in Proceedings of the ACM SIGCOMM Conference on Internet Measurement, 2011.
16. D. Akhawe, B. Amann, M. Vallentin, and R. Sommer, "Here's my cert, so trust me, maybe? Understanding TLS errors on the web," in Proceedings of the International Conference on World Wide Web, 2013.
17. Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman, "Analysis of the HTTPS certificate ecosystem," in Proceedings of the 13th ACM SIGCOMM Conference on Internet Measurement, 2013.
18. E. Butler, "Firesheep," http://codebutler.com/firesheep.
19. S. Chen, Z. Mao, Y.-M. Wang, and M. Zhang, "Pretty-Bad-Proxy: An overlooked adversary in browsers' HTTPS deployments," in Proceedings of the IEEE Symposium on Security and Privacy, 2009.
20. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, "The most dangerous code in the world: validating SSL certificates in non-browser software," in Proceedings of the ACM Conference on Computer and Communications Security, 2012.
21. S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith, "Why eve and mallory love Android: an analysis of Android SSL (in)security," in Proceedings of the ACM Conference on Computer and Communications Security, 2012.
22. S. Fahl, M. Harbach, H. Perl, M. Koetter, and M. Smith, "Rethinking SSL development in an appified world," in Proceedings of the ACM Conference on Computer and Communications Security, 2013.
23. M. Marlinspike, "sslsniff," http://www.thoughtcrime.org/software/sslsniff.
24. C. Reis, S. D. Gribble, T. Kohno, and N. C. Weaver, "Detecting in-flight page changes with web tripwires," in Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, 2008.
25. M. Casado and M. J. Freedman, "Peering through the shroud: the effect of edge opacity on IP-based client identification," in Proceedings of the 4th USENIX Symposium on Networked Systems Design and Implementation, 2007.
26. C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh, "Protecting browsers from DNS rebinding attacks," in Proceedings of the ACM Conference on Computer and Communications Security, 2007.
27. L.-S. Huang, E. Y. Chen, A. Barth, E. Rescorla, and C. Jackson, "Talking to yourself for fun and profit," in Proceedings of the Web 2.0 Security and Privacy, 2011.
28. C. Kreibich, N. Weaver, B. Nechaev, and V. Paxson, "Netalyzr: Illuminating the edge network," in Proceedings of the ACM SIGCOMM Conference on Internet Measurement, 2010.
29. S. Stamm, B. Sterne, and G. Markham, "Reining in the web with content security policy," in Proceedings of the 19th International Conference on World Wide Web, 2010.
30. P. Uhley, "Setting up a socket policy file server," http://www.adobe.com/devnet/flashplayer/articles/socket policy files.html, Apr. 2008.
31. StatOwl.com, "Flash player version market share and usage statistics," http://www.statowl.com/flash.php.
32. R. A. Sandvik, "Security vulnerability found in Cyberoam DPI devices (CVE-2012-3372)," https://blog.torproject.org/blog/securityvulnerability-found-cyberoam-dpi-devices-cve-2012-3372, Jul. 2012.
33. Y. N. Pettersen, "Suspected malware performs man-in-the-middle attack on secure connections," http://my.opera.com/securitygroup/blog/2012/05/16/suspected-malware-performs-man-in-the-middle-attack-onsecure-connections, May 2012.
34. J. Hodges, C. Jackson, and A. Barth, "HTTP Strict Transport Security (HSTS)," RFC 6797 (Proposed Standard), Internet Engineering Task Force, Nov. 2012.
35. C. Jackson and A. Barth, "Force HTTPS: protecting high-security web sites from network attacks," in Proceedings of the 17th International Conference on World Wide Web, 2008.
36. M. Marlinspike, "New techniques for defeating SSL/TLS," in Black Hat DC, 2009.
37. C. Evans and C. Palmer, "Public Key Pinning Extension for HTTP," IETF, Internet-Draft draft-ietf-websec-key-pinning-03, Oct. 2012.
38. A. Langley, "Public key pinning," http://www.imperialviolet.org/2011/05/04/pinning.html.
39. C. Paya, "Certificate pinning in Internet Explorer with EMET," http://randomoracle.wordpress.com/2013/04/25/certificate-pinning-ininternet-explorer-with-emet/.
40. M. Marlinspike and E. T. Perrin, "Trust Assertions for Certificate Keys," IETF, Internet-Draft draft-perrin-tls-tack-02, Jan. 2013.
41. I. Dacosta, M. Ahamad, and P. Traynor, "Trust no one else: Detecting MITM attacks against SSL/TLS without third-parties," in Proceedings of the European Symposium on Research in Computer Security, 2012.
42. "Certificate Patrol - a psyced Firefox/Mozilla add-on," http://patrol. psyced.org.
43. M. Dietz, A. Czeskis, D. Balfanz, and D. Wallach, "Origin-bound certificates: A fresh approach to strong client authentication for the web," in Proceedings of the 21st USENIX Security Symposium, 2012.
44. D. Wendlandt, D. Andersen, and A. Perrig, "Perspectives: Improving SSH-style host authentication with multi-path probing," in Proceedings of the USENIX Annual Technical Conference, 2008.
45. M. Marlinspike, "SSL and the future of authenticity," in Black Hat USA, 2011.
46. K. Engert, "Detec Tor," http://detector.io/DetecTor.html.
47. M. Alicherry and A. D. Keromytis, "Doublecheck: Multi-path verification against man-in-the-middle attacks," in IEEE Symposium on Computers and Communications, 2009.
48. R. Holz, T. Riedmaier, N. Kammenhuber, and G. Carle, "X. 509 forensics: Detecting and localising the SSL/TLS men-in-the-middle," in Proceedings of the European Symposium on Research in Computer Security, 2012.
49. P. Eckersley, "Sovereign key cryptography for internet domains," https://git.eff.org/?p=sovereign-keys.git;a=blob;f=sovereign-keydesign.txt;hb=master.
50. B. Laurie, A. Langley, and E. Kasper, "Certificate Transparency," IETF, Internet-Draft draft-laurie-pki-sunlight-02, Oct. 2012.
51. T. H.-J. Kim, L.-S. Huang, A. Perrig, C. Jackson, and V. Gligor, "Accountable Key Infrastructure (AKI): A proposal for a public-key validation infrastructure," in Proceedings of the International Conference on World Wide Web, 2013.
52. R. Sleevi, "[cabfpub] Upcoming changes to Google Chrome's certificate handling," https://cabforum.org/pipermail/public/2013-September/002233.html, 2013.
53. P. Hoffman and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA," RFC 6698 (Proposed Standard), Internet Engineering Task Force, Aug. 2012.
54. P. Hallam-Baker and R. Stradling, "DNS Certification Authority Authorization (CAA) Resource Record," RFC 6844 (Proposed Standard), Internet Engineering Task Force, Jan. 2013.