selectscomodo官网

ServerNotaries:AComplementaryApproachtotheWebPKITrustModelEmreY¨uce1andAliAydnSelcuk21Dept.
ofCryptography,MiddleEastTechnicalUniversity,Ankara,Turkeye132740@metu.
edu.
tr2Dept.
ofComputerEng.
,TOBBUniv.
ofEconomicsandTech.
,Ankara,Turkeyaselcuk@etu.
edu.
trAbstract.
SSL/TLSisthedefactoprotocolforprovidingsecurecom-municationovertheInternet.
ItreliesontheWebPKImodelforauthen-ticationandsecurekeyexchange.
Despiteitsrelativelysuccessfulpast,thenumberofWebPKIincidentsobservedhaveincreasedrecently.
Theseincidentsrevealedtherisksofforgedcerticatesissuedbycerticateau-thoritieswithouttheconsentofthedomainowners.
Severalsolutionshavebeenproposedtosolvethisproblem,butnosolutionhasyetre-ceivedwidespreadadaptionduetocomplexityanddeployabilityissues.
Inthispaper,weproposeapracticalmechanismthatenablesserverstogettheircerticateviewsacrosstheInternet,makingdetectionofacerticatesubstitutionattackpossible.
Theoriginofthecerticatesubstitutionattackcanalsobelocatedbythismechanism.
Wehavecon-ductedsimulationexperimentsandevaluatedourproposalusingpubliclyavailable,real-worldBGPdata.
WehaveobtainedpromisingresultsontheAS-levelInternettopology.
Keywords:WebPKI,SSL/TLS,man-in-the-middleattack,notary1IntroductionTodaytheInternetismassivelyusedfore-government,e-commerce,ande-bankingapplicationsunlikeitsearlydayswithstaticwebpages.
Theseapplica-tionsrequireexchangeofsensitivedataincludingnancialorpersonalinforma-tion.
Itiscrucialtoprovideasecureconnectionforthiscommunicationwhichisachievedusingdierentnetworkprotocols.
SecureSocketLayer(SSL)[14]anditssuccessorTransportLayerSecurity(TLS)[9]areprotocolsdesignedtoprovidecondentiality,authenticity,andintegrityovertheInternet.
SSL3reliesontheWebPKItrustmodel[7]forauthenticationandsecurekeyexchange.
Inthismodel,CerticateAuthorities(CAs)issueX.
509digitalcerticatesthatbindtheSSLserveridentitytoapublickey.
SSLclientsreceivethedigitalcer-ticatewhentheyrequesttoestablishasecureconnectiontotheserver.
TheyverifyitusingtheembeddedpublickeysofCAsintheirbrowseroroperatingsystemcerticatetruststores.
3Hereafter,weuseSSLtomeanbothSSLandTLS.
2ServerNotaries:AComplementaryApproachtotheWebPKIThereexistseriousconcernsregardingthereliabilityoftheWebPKItrustmodel.
ThemodelemploysalistofCAsthataretrustedbydefault.
TherearehundredsoffullytrustedrootCAsfrommorethan50countries[10].
TheyareabletodelegatetheirauthoritytosubordinateCAs(sub-CAs)aswell.
ForanydomainnamebothrootCAsandsub-CAsareabletoissuevalidcerticates,trustedbymostofthebrowsers,withouttheconsentorknowledgeofthedomainowner.
OneofthemostrecentincidentshashappenedinMarch2015[24].
GooglehasdetectedforgedcerticatesforseveralGoogledomains.
Asub-CAcerticate,signedbyNationalInformaticsCentreofChina(CNNIC),hasbeenusedintheincident.
Browserandoperatingsystemvendorsrevokedthecerticatesafterthediscoveryoftheattack.
Thisattackisanexampleofmisuseofsub-CAcerticates.
OtherexamplesareIndiaNICcaseinJuly2014[23],ANSSIcaseinDecember2013[22],andTurkTrustcaseinJanuary2013[21].
Yetinotherincidents,CAswerecompromisedresultinginthefraudulentissueofforgedcerticates[41],[6].
Governmentalandprivateorganizationsmayalsouseforgedcerticatesfortheirsurveillanceactivities[27],[34],[37].
InresponsetothesevulnerabilitiesoftheWebPKI,severalprotocolshavebeenproposedasanenhancementoranalternativetothecurrentmodel.
TheseproposalsincludePublicKeyPinning[19],Perspectives[42],Convergence[29],DANE[33],SovereignKeys[11],andCerticateTransparency[25].
Althoughsomeoftheseproposalsareused,thereisnocommonlyacceptedandwidelyde-ployedsolutionyet.
Thesecuritythreatsanddesignconstraintstobeaddressedarestillbeingdiscussed[5],[26].
Thesolutionshouldbeapplicableforanypar-ticipant,shouldcomplywiththecurrentmodel,andshouldproposeapracticalmethodwhichdoesnotintroducecomplexcomponents,anddoesnotdependonenduserdecisions.
Inthiswork,wefocusonthefactthattheSSLservers,inthecurrenttrustmodel,arenotabletoobtaininformationonhowtheircerticatesareobservedatdierentlocationsonthenetwork.
Weproposeacomplementarysolution,theservernotariesmethod,whichenablesserverstogettheircerticateviewsacrosstheInternet.
Inthiswayserverswillbeabletocheckwhethertheircerticatesareobservedasexpected.
Thusdetectingacerticatesubstitutionwillbepossible.
Moreoveraservermaylocatetheoriginoftheattackbyanalyzingcerticateviewsfromdierentvantagepoints.
InordertoseehowourmethodperformsontheInternet,wehaveconductedsimulationexperimentsandevaluatedourproposalatAS-levelInternettopologyusingpubliclyavailableBGPdata.
Wecansummarizeourprimarycontributionsasfollows:–Weproposetheservernotariesmethod,apracticalandecientmechanismthatenablesserverstoobservetheircerticatesfromdierentpointsontheInternet.
Ourproposalmakesdetectingandlocatingacerticatesubstitutionattackpossible.
–Wepresentresultsofsimulationexperimentsconductedusingreal-lifeAS-levelInternettopologydataandevaluatehoweectiveservernotariesmethodcanbeatdetectingacerticatesubstitution.
ServerNotaries:AComplementaryApproachtotheWebPKI3–Wepresentaqualitativeassessmentofadvantagesanddisadvantagesoftheservernotariesmethod.
2ServerNotariesTheideaofobservingtheservercerticatefromdierentnetworkvantagepointshasbeenusedinseveralproposalstoimprovetheWebPKItrustmodel.
ThisideawasintroducedinPerspectives[42],whereWendlandtetal.
denednotariesaspubliclyavailablesemi-trustedhostsdeployedatvariouslocationsonthenetwork.
Themainideaisthatafteraclientobtainstheservercerticateintheusualway,itmaycomparereceivedcerticatewiththeservercerticateobtainedfromanotary'snetworkpointofview.
Adierencebetweenthecerticatesmayindicateacerticatesubstitution.
Dierentvariantsofnotarieshavebeenusedinseveraldierentprotocols.
SimilarproposalssuchasConvergence[29],DoubleCheck[1],andCrossBear[16]followedasimilarmethodtoenhancetheWebPKItrustmodel.
Inthiswork,weproposeacomplementarywayofusingnotariesfordetectingfakecerticatesandMITMattacksoverthenetwork.
Inourmethod,notariesareusedbySSLserversratherthanclients,hencethenameisservernotaries.
2.
1ScenarioandThreatModelOurscenarioconsistsofanSSLserver,anumberofnotariesandanadversary.
Theserverinthescenariomaybeanykindofgenericorspecialpurposeserver.
Itannouncesacerticatepubliclytoanyclientwishingtoestablishasecurechannel.
Notariesarepre-deployedpubliclyaccessiblesemi-trustedhostslocatedatvariousnetworkpointsandtheyaremanagedbydierententities.
Weassumethattheserverhasalreadyobtainedthecurrentlistofactivenotariesandtheirpublickeys,aswewillexplainlater.
Ourthreatmodelconsidersanadversarywhoisabletomodifythenetworktracowingoveritself.
Aimoftheadversaryistoeavesdropandtamperwiththistracbyexecutingnon-selectiveMITMattacksagainsttheserver.
Inordertoperformsuchanattack,theadversarymayuseoneofthefollowingmethods:–ObtainingaforgedcerticatefortheserversdomainnamethatissignedbyatrustedCAorsub-CA.
–UsingarevokedcerticatebeforeCRLupdateoccursandbyinterruptingOCSPqueries.
–LaunchinganHTTPSdowngradeattack.
–Usingacerticate,untrustedbyrootstores(e.
g.
self-signed).
IftheMITMattackislocal,i.
e.
theadversaryislocatedinthevicinityoftheclient,probablytheadversaryandtheclientareatthesamesubnetwork,thesameISP,orthesamecountry.
TheadversarymaybeagovernmentalentityortheISPitself.
Inthisscenario,theserverobservesafakecerticatefromthenotariesdeployedwithintheattackregionandagenuinecerticatefromthe4ServerNotaries:AComplementaryApproachtotheWebPKIFig.
1.
AlocalMITMattackscenarioshowingASlevelnetworkpathsbetweenS(server),N1(notary),N2(notary).
AdversaryislocatedatAS3.
N1observesthegenuinecerticate,N2observesafakecerticate.
ThusSinfersthatthereexistsamisbehavingnodebetweenSandN2.
remainingnotaries.
Thisscenariomakeslocatingtheadversarypossible.
SuchanattackscenarioisrepresentedinFigure1.
Iftheadversaryislocatedatanetworkpointclosetotheserver,almostallnetworkpathsbetweentheserverandthenotariesincludetheadversary.
Hencetheserverwillmostlyobserveafakecerticatefromthenotaries.
TheservershouldcheckitslocalnetworkorinformitsISPabouttheissue.
Ourthreatmodeldoesnotconsiderattacksexploitingimplementationorcongurationerrors.
Alsoweassumethattheserverisnotcompromisedandisatrustedparticipant.
Thenotariesaresemi-trustedparticipants.
Weassumethattheadversaryisnotabletobreakcryptographicprimitives;i.
e.
theadver-sarycannottamperwiththedatathatprovidesauthentication,encryption,orintegrity.
2.
2ProtocolDetailsServernotariesmethodisbasedontheexchangeofobservationrequest-responsemessagesbetweentheserverandthenotary.
ThemessagetransactionisgivenbelowanddemonstratedinFigure2.
1.
Serverselectsasetofnotariesfromitsnotarylistandinitiatestheprotocolbysendinganobservationrequesttothesenotariesoverasecurechannel.
2.
Afterreceivingtheobservationrequest,anotaryestablishesaconnectiontotheserverasanySSLclientwoulddo.
3.
Thenotaryreceivestheserver'scerticate.
Ifthereexistsanactiveadversarythroughthenetworkpathbetweentheserverandthenotary,thenotarywillreceiveafakecerticate.
4.
Notarysendsthesignedobservationresponsetotheserveroverthepre-viouslyestablishedsecurechannel.
Theobservationresponseincludestheobservedcerticate.
Servernotariesmethodenablesserverstodetectandlocatethecerticatesubstitution.
Iftheserverreceivesanunexpectedcerticate,thisisasignofacerticatesubstitutionbetweentheserverandthenotary.
HencetheserverisServerNotaries:AComplementaryApproachtotheWebPKI5Fig.
2.
Servernotariesmethodoverview:(1)Serversendsanobservationrequesttothenotaryoversecurechannel.
(2)Notaryconnectstotheserveroverpublicchannel.
(3)Serversendsitscerticate.
(4)Notarysendsobservationresponseincludingthereceivedcerticatetotheserver.
abletodetectapossibleMITMattemptoramisissuedcerticate.
Moreovertheserverisabletolocatethenetworkpointwherethecerticatesubstitu-tionoccurs.
Spottingthepossiblymisbehavingnodesthroughthenetworkmaybeachievedbycomparingthenetworkpathsbetweentheserverandmultiplenotaries.
Ourproposaldoesnotincreasethecomplexityofthecurrentsystem.
Serversareexpectedtomakeperiodicalprobesthroughthenotaries.
Thiscanbeim-plementedbyminorchangesontheserverside.
Clientsarenotapartofthismethodandwillremainunmodied.
Similartoothernotary-basedsolutions[42],[16],theserversideimplemen-tationwillincludethecontactinformationofabootstrappingnodewhichwillbeusedtoobtainanactivelistofnotariesandtheirpublickeyssothatthecommunicationbetweentheserverandthenotariesaresecured.
Asanalremark,wewouldliketonotethatalthoughwehavefocusedondetectingMITMattackstargetingtheWebPKI,servernotariescanbeusedinordertotracktheviewofanycerticateorpublickeyservedbyotherprocesses,suchasSSH,aswell.
3SimulationsWehaveconductedaservernotariessimulationonanAS-levelInternettopologyusingpubliclyavailableBGPdata.
Inthissectionwepresentthesimulationdetails.
Firstwepresenthowwehavecollectedandanalyzedthedata.
Thenweshareoursimulationmethodologyandconcludethesectionbycommentingonthesimulationresults.
6ServerNotaries:AComplementaryApproachtotheWebPKI3.
1DataCollectionandAnalysisThroughoutthisexperimentweusedtheBGPdataprovidedbytheUniversityofOregonRouteViewsProject[40].
ThisprojectaimspublishingdataabouttheglobalviewoftheInternetusingroutinginformation.
Thisprojectgivesrealtimeaccesstotheroutingdatapublicly.
Routeviewsdatahavebeenusedinseveralprojects.
AnalreadycompletedoneistheNLANR[31]projectwhichhadusedthedataforASpathvisualizationandIPv4addressspaceutilization.
Inamorerecentstudy,CAIDA[4]hasbeenusingRouteviewsdatatogenerategeographicallocationofhostsinconjunctionwiththeNetGeo[30]database.
CA-DIAASRelationships[3]projectisanotherexample.
ThisprojectinvestigatesbusinessagreementsbetweenASesbasedoncustomer/provider/peerrelations.
Therearecollectorsdeployedworldwidewhichgathertheroutingdata.
TheyhaveestablishedBGPconnectionswithseveralBGPpeers.
ByAugust2015,thereare437peeringto188distinctASesusing19collectorsintotal[39].
ItisobservedthatsomeofthecollectorsaredeployedwithinTier-1networks.
Collectors'mainpurposeistoobserveadvertisedASpathsthroughtheInternet.
AlthoughitisnotfeasibletodeployacollectorateveryASforobservation,itisshownthatthepublicBGPinformationisenoughtocapturerelativelycompleteASlevelInternettopology[13].
Wehavedownloadedandparsedthedataset(MRT-formattedfull-tableRIBsRoutingInformationBase,i.
e.
,BGPdumps.
)for9August2015(08:00)forthevantagepoints:OregonIX,EquinixAshburn,ISC/PAIX,KIXP,LINX,DIXIE/WIDE,RouteViews-4,Sydney,andSaoPaulo.
ThedataincludesBGPtablescollectedfrom188distinctASesworldwide.
Therawdataincludesmis-leadinginformationsuchasrepetitionofASpathsorloopsinsideASpaths.
WehavediscardeddatasetsthataretruncatedorhavinglimitedIPspace.
WehaveremovedinvalidpathslikeloopsorrepetitiveASesandduplicatepaths.
AfterthesestepswehaveobtainedtheASpathdatasetincludingmorethan11millionASpathsfrom124distinctASesdestinedtoalmostallASesobservedworldwide.
3.
2ServerNotariesSimulationMethodologyServernotariesmethodhastwotypesofcomponentsnamelytheserversandthenotaries.
WeconsidertheAS-levelInternettopologywhereBGPpoliciesdeterminetheASpathsavailablebetweentwoASes.
Asfortheservers,weusedthecollectorsoftheASpathdatasetdescribedinSection3.
1.
RecallthatwehaveobtainedASpathssourcingfrom124distinctASestoalmostallASesobservedintheInternet.
Hence,wehavedecidedtousethe124distinctsourceASesasourserversinthesimulation.
AnimportantquestionregardingthedeploymentoftheservernotariesmethodishowtodistributethenotariesovertheInternetforaneectiveutilization.
Anintuitiveideafordeploymentistoputthenotariesatthehighly-connectedASes.
TochoosethenotaryASes,wesortedallASesindescendingorderwithrespecttothefollowingveASfeaturesandtookagivennumberofhighestrankingones.
ServerNotaries:AComplementaryApproachtotheWebPKI7LastthreeitemsarerelatedtothebusinessagreementsbetweenASeswhicharetypicallycondentialbutmaybeinferredfromBGPdata[28],[15].
–Degree:ThenumberofASesdirectlyconnectedtoanAS.
–Prex:ThenumberofprexesanASannounces.
–Provider:ThenumberofprovidersanAShas.
4–Customer:ThenumberofcustomersanAShas.
–Peer:ThenumberofpeersanAShas.
5WeusedRouteViewsBGPdatatocalculatenumberofannouncedprexesperAS.
WeusedCAIDAASRelationshipdataset[3],whichpresentstheASrelationsasprovider-to-customerorpeer-to-peer,tocalculatetheremainingASfeatures.
WesaythatASesobservedbetweentheserverASandthenotaryASarecoveredbythenotaryfortheserver.
CoveredASesarecriticalatdetectingadversaries.
AssumeanadversaryislocatedatoneofthecoveredASesandsubstitutestheservercerticatebyaforgedone.
Thentheserverwoulddetecttheadversarybyqueryingtherespectivenotary'sviewsincethenotaryobservestheforgedcerticate.
AsimplescenarioispresentedinFigure3.
TheserverSislocatedatAS7andthenotariesN1andN2arelocatedatAS1,AS4respectively.
AS1,AS2,AS3,andAS7arecoveredbyN1.
AS4,AS5,AS6,andAS7arecoveredbyN2.
Serverdetectstheadversary,locatedatAS6,byqueryingN2.
Fig.
3.
SamplesetofASpathsincludingtheserver(S)andthenotaries(N1,N2).
AnadversaryislocatedatAS6.
N1observesthegenuinecerticate.
N2iseectedbytheadversaryonitspathtoSandobservesthefakecerticate.
PerformanceMetricsWedenethefollowingperformancemetricsovertheASpathdatasetgeneratedinSection3.
1.
HereaftersdenotesanSSLwebserverAS,nidenotesanotaryAS,andNdenotesthesetofallnotaryASes.
4AproviderisanASthatenablesitscustomerstoreachotherASesbycarryingcustomers'transittracoveritself.
5Apeeringisdenedastheexchangeoftracbetweentherespectivecustomersofeachpeerfreeofcharge.
ThiskindofconnectionmaybeobservedbetweenISPswhocannotaordadditionalInternetservicesforbetterconnectionorbetweenadminis-trativedomainswhowishtodeployabackupconnectivity.
8ServerNotaries:AComplementaryApproachtotheWebPKICAS(s,N):"CoveredAS"(CAS)isthenumberofdistinctASesobservedthroughtheASpathsbetweensandallnotariesinN.
TAS:"TotalAS"(TAS)isthenumberofdistinctASesobservedintheASpathdataset.
InordertocalculateCAS(s,N)valueforoneservers,wescannedtheASpathdatasetforpathshavingsandniastherstandlastASes,ni∈N.
WecountedthenumberofdistinctASesobservedonthesepathsandfoundtheCAS(s,N)value.
AftercalculatingtheCAS(s,N)valuesforallservers,wecalculatedtheirmeanvalueCAS.
UsingCASandTASvalues,wecalculatedCASRatioasfollows:CASRatio=CASTAS(1)ThisvaluegivestheratioofcovereddistinctASesusingthesetofnotaryASesN.
CASH(s,N):"CoveredASHit"(CASH)isthetotalnumberofoccur-rences(includingmultiplecounts)ofcoveredASesintheASpathdataset.
TASH:"TotalASHit"(TASH)isthetotalnumberofoccurrences(in-cludingmultiplecounts)ofallASesintheASpathdataset.
WefoundcoveredASesbynifors,ni∈N.
Thenwecountedtheoccur-rencesoftheseASesintheASpathdatasetandfoundCASH(s,N)value.
AftercalculatingCASH(s,N)valuesforallservers,wecalculatedtheirmeanvalueCASH.
UsingCASHandTASHvalues,wecalculatedCASHRatioasfollows:CASHRatio=CASHTASH(2)CASHRatiovaluerepresentshowfrequentthecoveredASesareobservedovertheASpathdataset.
ThisisalsotheprobabilitythatarandomASpathincludesacoveredAS.
Ifanadversary,launchingaMITMattackbycerticatesubstitution,islocatedatoneofthecoveredASes,itwillbedetectedusingourmethod.
Hence,weinterpretCASHRatioastheprobabilityofdetectinganadversaryatAS-level.
ResultsThecontributionofthissimulationistwofold.
Firstly,weevaluatehowsuccessfulservernotariesmethodisatdetectingcerticatesubstitutionattacks.
Secondly,weanalyzetheeectofseveralASfeaturesonASselectionfornotarydeployment.
CASRatiovaluesaregiveninFigure4.
ThisgureshowsthattopnASeswiththehighestnumberofproviderswillcoveralargerportionofthenetworkthanotheralternatives,foragivennumbern.
Forinstance,top200ASesfromthe"provider"listcoverapproximately1.
5%ofallASeswheretop200ASesfromtheotherlistscoverlessthan1%ofallASes.
CASHRatiovalues,whichmeasuretheprobabilityofdetectinganadver-sary,arepresentedinFigure5.
Theresultsareverypromising.
Bydeployingnotariesattop200ASesfromthe"degree"list,probabilityofdetectinganad-versaryattheASlevelismorethan50%.
ThesimulationresultsshowthatitisServerNotaries:AComplementaryApproachtotheWebPKI9Fig.
4.
PercentageofcoveredASes(y-axis)withrespecttothenumberofnotaries(x-axis),selectedaccordingtotheASesfeaturesgiveninthelegend.
bettertodeploynotariesatASeswithhigherdegreesinordertohaveahigherprobabilityofdetectingadversaries.
Bydeployingnotariesatthetop2000ASesfromthedegreelist,theCASHRatiobecomes70%.
4RelatedWorkThereexistseveralproposalssuggestingimprovementstothecurrentWebPKItrustmodel.
SomeofthemtrytoreplacetheCAinfrastructurecompletely,whileotherstrytotinandenhancethecurrentmodel.
Pinningmethodstrytodetectcerticatesubstitutionsattheclientside[19].
Pinningistheprocessofassociatingahostwithacerticate(orapublickey).
HPKPcreatespinsbytheuser'sbrowsinghistory[35].
TACKusesserver-pushedpinswiththeTOFUmethod[38].
Googledeployspreloadedpinsforvariousdo-mainnamesinChrome[20].
ThesemethodsaresuccessfulatdetectingcerticatechangeswhicharepossibleMITMattacks.
Theyhoweverhavesomeissuesaboutrevocationandcerticateupdates.
AnotherproposalisbindingSSLkeystoDNSentriesusingDNSSECnamelyDANE[33].
ThisproposalmaybeseenaspinningkeystotheDNSentries.
InorderfortheDANEsolutiontobeused,thevastmajorityofDNSserversshouldbeconguredtouseDNSSEC.
AlsorevocationisagainproblematicinDANEsinceallDNSrecords,includingcaches,worldwideshouldbeupdatedincaseofapublickeyupdate.
ThisdependsontheTTLvalueoftherecords.
Perspectives[42]istherstnotary-basedsolutionwhichutilizesnotariesinordertoobserveservercerticatesfromdierentnetworkvantagepoints.
Convergence[29]improvesthePerspectivesproposalbyusingbouncenotaries10ServerNotaries:AComplementaryApproachtotheWebPKIFig.
5.
PercentageofcoveredASeshit(y-axis)withrespecttothenumberofnotaries(x-axis),selectedaccordingtotheASesfeaturesgiveninthelegend.
topreventprivacyissues,enablingothermethods(DANE,CAs,etc.
)tobeusedforauthentication,andsolvingthenotarylagproblem.
Doublecheck[1]proposesusingtheTORnetworkinsteadofnotaries.
DetecTor[8]isasimilarsolutionextendingtheusageofTORideatoanyprotocol.
Aninterestingideaforbothdetectingandlocatingtheadversariesusingnotaries,originallycalledhunters,hasarisenintheCrossBearproposal[16].
Notary-basedsolutionsaregenerallycriticizedforcerticateupdateissuesandineectivenessinthecasewhenadversariesareclosetotheserver[5].
TheICSICerticateNotary[18]andtheEFFSSLObservatory[12]projectscollectSSLcerticatesandpublishstatisticalinformationaboutthem.
TheICSICerticateNotaryalsoprovidesapublicDNSinterfacetoqueryitsdatabase.
Theseprojectscollectthecerticatesbyactivelyprobingthewebsites.
Asan-otherapproach,Huangetal.
[17]haveusedclient-sideappletsimplementedintheFacebookwebsiteinordertoanalyzethecerticatesobservedbytheclient.
Theyhaveanalyzedmorethan3millionSSLconnectionsandsharedtheprop-ertiesoftheobservedcerticates.
SovereignKeysmethod[11]isacombinationofserverpinningandloggingbasedmethods.
Serverspeciesapublickeyandlogsitatapubliclyavailableappend-onlylog.
Losingtheprivatekeymayendupinlosingthedomain.
An-otherexampleisCerticateTransparencymethod[25]proposedbyGoogle.
Ev-eryissuedcerticateisloggedatapubliclyavailableappend-onlyandread-onlylogwithasignedcerticatetimestamp(SCT).
Thuscerticatesaretransparentandveriable.
ItisclaimedthataMITMattackmaybelaunchedbyredirectingaclienttoaspeciclogorbyusingarogueCA[36].
Alsorevocationseemsproblematicinlogging-basedmethodssincethelogsareappendandreadonly.
ServerNotaries:AComplementaryApproachtotheWebPKI11Infact,CerticateTransparencydoesnotclaimtopreventMITMattacksbuttodetectthemasfastaspossible.
ThereexistproposalsfocusingonthecurrentbinarytrustmodeloftheWebPKIwithtrustcomputationenhancements[32],[2].
5DiscussionThecurrentWebPKImodelisheavilyusedbybillionsofuserseveryday.
Itisnotpossibletointerruptthemodelandtochangeitbysettinga"FlagDay".
Henceaviablesolutionshouldproposeasmooth,gradualtransition.
Itwouldbetterincludeatransitionperiodthatinteroperateswiththecurrentmodelatleastforawhile.
ServernotariesmethodproposesaquickxforthevulnerabilitiesobservedintheWebPKItrustmodel;ourproposalwouldaidserverstomitigatecerticatesubstitutionattacksuntilanalconsensusisreached.
ThenumberofparticipatingentitiesontheInternetisincreasingeveryday.
ApotentialsolutionshouldscaleastheInternetgrowsandanyparticipantshouldbeabletouseit.
Forinstance,embeddingpublickeysintobrowsers(preloadedpins)aidedresearchersindetectingseveralincidents[21],[23],[24].
HoweveritisnotfeasibletoembedeachandeverySSLpublickeyintheworldintothebrowsers.
Ontheotherhand,thesolutionshouldnotrequireeveryoneintheworldtoparticipateinordertoworkproperly.
Forinstance,CerticateTransparencyenablesdetectingforgedcerticatesfortheparticipatingCAs.
Itisnotapplicable,however,tonon-participatingCAs.
Similarly,DANErequiresDNSSECtobedeployedateveryDNSserverworldwide.
Thusitcanbestatedthatthesesolutionsarelimitedbythedegreeofdeployment.
ItisnotthecaseforservernotariesmethodasanyserverisabletouseitandobserveitscerticatethroughouttheInternet.
Alsoitdoesnotrequireeveryentitytoparticipate.
Complexityistheenemyofsecurity.
Themorecomponentsasolutionhas,theharderitistomakeitsecure.
Thesolutionshouldproposeapracticalmethodwhichdoesnotintroducecomplexcomponents.
Also,itshouldrequireasfewchangesaspossibleattheserverandclientsides.
Servers,usingtheserverno-tariesmethod,willmakeperiodicalprobestothenotaries.
Thiscanbeimple-mentedbyminorchangesontheserverside.
Notariescanbedeployedworldwideusingcloudinfrastructures.
Clientswillremainunmodied.
Anotherissueattheclientsideistheprivacy.
Inthecurrentmodel,wheneveraclientvisitsawebsiteoverSSL,theclient'sbrowserqueriestheCA'sOCSPresponderstoverifythattheservercerticateisnotrevoked.
Hence,thebrowsersalreadyleakinformationabouttheclient'sSSLbrowsinghistory.
Similarlysomenotary-basedsolutionssuerfromprivacyissues.
Theproposedsolutionshouldnotintroduceadditionalprivacyissues.
Asclientsarenotapartoftheservernotariesmethod;itdoesnotintroduceanyprivacyissues.
Someofthenotary-basedsolutionssolvetheprivacyissuesbyanonymizingthecommunicationovertheTORnetwork[8],[1],whichcausesextralatencyforeverynewlyobservedcerticateattheclientside.
Ausablesolutionshould12ServerNotaries:AComplementaryApproachtotheWebPKInotaddextralatency.
Theservernotariesmethodwilljustcreateextranetworktracontheserversidewhichwillnotconstitutealatencyproblem.
Notary-basedsolutionsandpinningmethodsmayproducefalsepositivewarningsforserverfarmswithmultipledierentcerticatesorforwebsitesup-datingtheircerticatesfrequently[5].
Usersareexpectedtomakeanaldecisioninsuchcases.
TherearealsoMITMattackdetectionmethodsproposedtobeusedbytechsavvyusers[16].
Asolutionmaygivefeedbacktotheuserincaseofasuspiciouscase.
Howeveritshouldnotfullydependonenduserdecisions.
Ourproposalexpectsadecisionfromtheserver.
Astheserverhasthegenuinecerticate,itcanmakeanaldecisionfortheobservedcerticateeasily.
ThedeploymentofthenotarynodesacrosstheInternetisamajorissueofourprotocol.
Asnotedin[42],independentnodesrunbyvolunteers,likeTORrelays,wouldmakeanexcellentnotaryinfrastructure.
Bootstrappingserverscanalsobeimplemented`alaTOR.
6ConclusionRecentincidentshavedemonstratedthevulnerabilitiesintheWebPKItrustmodel.
Asmostofthesevulnerabilitiesremainunsolved,numberofMITMat-tacksareexpectedtoincreaseovertime.
Unfortunately,itmaybethoughtthattherewillnotbeanal,elegantsolutioninthenearfuturebylookingatthecomplexityanddeployabilityissuesoftheproposedsolutions.
Wehaveproposedapracticalmechanismwhichenablesserverstoobservetheirowncerticatesusingpublicnotaries.
Thiswillbringtheserveradministratorsintothegameastheywilltrytodetectattacksagainsttheirservers.
Simulations,conductedusingreal-lifeInternettopologydata,haveshownpromisingresultsfortheef-fectivenessoftheproposedsolution.
Acknowledgments.
WethankOnurBektasandUgurYlmazfromT¨UB˙ITAKULAKB˙IMfortheircommentsandfeedbackthroughthiswork.
References1.
Alicherry,M.
,Keromytis,A.
D.
:Doublecheck:Multi-pathvericationagainstman-in-the-middleattacks.
In:ComputersandCommunications,2009.
ISCC2009.
IEEESymposiumon.
pp.
557–563.
IEEE(2009)2.
Braun,J.
,Volk,F.
,Buchmann,J.
,M¨uhlh¨auser,M.
:Trustviewsforthewebpki.
In:PublicKeyInfrastructures,ServicesandApplications,pp.
134–151.
Springer(2014)3.
CAIDA:ASRelationships(2015),http://www.
caida.
org/data/as-relationships/4.
CAIDA:CenterforappliedInternetdataanalysis(2015),http://www.
caida.
org5.
Clark,J.
,vanOorschot,P.
C.
:SSLandHTTPS:Revisitingpastchallengesandevaluatingcerticatetrustmodelenhancements.
In:SecurityandPrivacy(SP),2013IEEESymposiumon.
pp.
511–525.
IEEE(2013)ServerNotaries:AComplementaryApproachtotheWebPKI136.
Comodo:ComodoSSLaliatetherecentRAcompromise(March2011),https://blog.
comodo.
com/other/the-recent-ra-compromise/7.
Cooper,D.
,Santesson,S.
,Farrell,S.
,Boeyen,S.
,Housley,R.
,Polk,W.
:InternetX.
509PublicKeyInfrastructureCerticateandCerticateRevocationList(CRL)Prole.
RFC5280(ProposedStandard)(May2008),http://www.
ietf.
org/rfc/rfc5280.
txt,updatedbyRFC68188.
DetecTor,http://www.
detector.
io9.
Dierks,T.
,Rescorla,E.
:TheTransportLayerSecurity(TLS)ProtocolVersion1.
2.
RFC5246(ProposedStandard)(Aug2008),http://www.
ietf.
org/rfc/rfc5246.
txt,updatedbyRFCs5746,5878,6176,7465,7507,7568,762710.
Eckersley,P.
,Burns,J.
:The(decentralized)SSLobservatory.
In:Invitedtalkat20thUSENIXSecuritySymposium(2011)11.
EFF:Thesovereignkeysproject,https://www.
eff.
org/sovereign-keys12.
EFF:TheEFFSSLobservatory(2015),https://www.
eff.
org/observatory13.
Faloutsos,M.
,Faloutsos,P.
,Faloutsos,C.
:Onpower-lawrelationshipsoftheIn-ternettopology.
SIGCOMMComput.
Commun.
Rev.
29(4),251–262(Aug1999),http://doi.
acm.
org/10.
1145/316194.
31622914.
Freier,A.
,Karlton,P.
,Kocher,P.
:TheSecureSocketsLayer(SSL)ProtocolVer-sion3.
0.
RFC6101(Historic)(Aug2011),http://www.
ietf.
org/rfc/rfc6101.
txt15.
Gao,L.
:OninferringautonomoussystemrelationshipsintheInternet.
IEEE/ACMTrans.
Netw.
9(6),733–745(Dec2001),http://dx.
doi.
org/10.
1109/90.
97452716.
Holz,R.
,Riedmaier,T.
,Kammenhuber,N.
,Carle,G.
:X.
509forensics:DetectingandlocalisingtheSSL/TLSmen-in-the-middle.
In:ComputerSecurity–ESORICS2012,pp.
217–234.
Springer(2012)17.
Huang,L.
S.
,Rice,A.
,Ellingsen,E.
,Jackson,C.
:AnalyzingforgedSSLcerticatesinthewild.
In:SecurityandPrivacy(SP),2014IEEESymposiumon.
pp.
83–97.
IEEE(2014)18.
TheICSIcerticatenotary(2015),https://notary.
icsi.
berkeley.
edu/19.
Kranch,M.
,Bonneau,J.
:UpgradingHTTPSinmid-air:Anempiricalstudyofstricttransportsecurityandkeypinning.
NDSS(2015)20.
Langley,A.
:Publickeypinning(2011),https://www.
imperialviolet.
org/2011/05/04/pinning.
html21.
Langley,A.
:Enhancingdigitalcerticatesecurity.
GoogleOnlineSecurityBlog(January2013),http://googleonlinesecurity.
blogspot.
com/2013/01/enhancing-digital-certificate-security.
html22.
Langley,A.
:Furtherimprovingdigitalcerticatesecurity.
GoogleOnlineSecurityBlog(December2013),http://googleonlinesecurity.
blogspot.
com/2013/12/further-improving-digital-certificate.
html23.
Langley,A.
:Maintainingdigitalcerticatesecurity.
GoogleOnlineSe-curityBlog(2014),http://googleonlinesecurity.
blogspot.
com/2014/07/maintaining-digital-certificate-security.
html24.
Langley,A.
:Maintainingdigitalcerticatesecurity.
GoogleOnlineSecu-rityBlog(March2015),http://googleonlinesecurity.
blogspot.
com/2015/03/maintaining-digital-certificate-security.
html25.
Langley,A.
,Kasper,E.
,Laurie,B.
:CerticateTransparency.
RFC6962(Experi-mental)(2013),https://tools.
ietf.
org/html/rfc696226.
Laurie,B.
:Certicatetransparencypublic,veriable,append-onlylogs(2014),http://queue.
acm.
org/detail.
cfmid=266815414ServerNotaries:AComplementaryApproachtotheWebPKI27.
Leyden,J.
:TrustwaveadmitscraftingSSLsnoopingcerticate:Allowingbossestospyonstawaswrong,sayssecuritybiz.
TheRegister(2012),http://www.
theregister.
co.
uk/2012/02/09/tustwave_disavows_mitm_digital_cert/28.
Luckie,M.
,Huaker,B.
,Dhamdhere,A.
,Giotsas,V.
,etal.
:ASrelationships,customercones,andvalidation.
In:Proceedingsofthe2013conferenceonInternetmeasurementconference.
pp.
243–256.
ACM(2013)29.
Marlinspike,M.
:Convergence(2012),http://conergence.
io30.
NetGeo:TheInternetgeographicdatabase(2015),http://www.
caida.
org/tools/utilities/netgeo/31.
NLANR:Thenationallaboratoryforadvancednetworkresearch(2006),http://www.
caida.
org/projects/nlanr/32.
Ries,S.
,Habib,S.
M.
,M¨uhlh¨auser,M.
,Varadharajan,V.
:Certainlogic:Alogicformodelingtrustanduncertainty.
In:TrustandTrustworthyComputing,pp.
254–261.
Springer(2011)33.
Schlyter,J.
,Homan,P.
:TheDNS-basedauthenticationofnamedentities(DANE)transportlayersecurity(TLS)protocol:TLSA(2012)34.
Singel,R.
:LawenforcementappliancesubvertsSSL.
WiredNews(2010),http://www.
wired.
com/2010/03/packet-forensics/35.
Sleevi,R.
,Evans,C.
,Palmer,C.
:PublickeypinningextensionforHTTP(2015)36.
Slepak,G.
:Thetroublewithcerticatetransparency(September2014),https://blog.
okturtles.
com/2014/09/the-trouble-with-certificate-transparency/37.
Soghoian,C.
,Stamm,S.
:Certiedlies:Detectinganddefeatinggovernmentinter-ceptionattacksagainstSSL(shortpaper).
In:FinancialCryptographyandDataSecurity,pp.
250–259.
Springer(2011)38.
TACK:Trustassertionsforcerticatekeys,http://tack.
io39.
Routeviewspeeringstatusreport.
Tech.
rep.
(July2015),http://www.
routeviews.
org/peers/peering-status-by-as.
html40.
Universityoforegonrouteviewsproject(2015),http://www.
routeviews.
org/41.
VASCO:Diginotarreportssecurityincident(August2011),https://www.
vasco.
com/company/about_vasco/press_room/news_archive/2011/news_diginotar_reports_security_incident.
aspx42.
Wendlandt,D.
,Andersen,D.
G.
,Perrig,A.
:Perspectives:ImprovingSSH-stylehostauthenticationwithmulti-pathprobing.
In:USENIXAnnualTechnicalConference.
pp.
321–334(2008)