## Measurements and Certificate-Based Authentication
, Kent Seamons, Mark O'Neill, Scott Ruoti
Brigham Young University
* The lock icon in your browser is supposed to mean you have a secure connection to the web site shown ![amazon](figures/amazon.png)
## Authentication with TLS is Fragile *
Browsers trust too many CAs
Poor trust agility
Flawed implementations are proliferating
: broken libraries [1,2], broken browsers , broken mobile apps  *
TLS inspection and man-in-the-middle attacks are occurring
: personal/enterprise firewalls,
 M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: validating ssl certificates in non-browser software. 2012 ACM CCS.
 C. Brubaker, S. Jana, B. Ray, S. Khurshid, and V. Shmatikov. Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations. 2014 IEEE Symposium on Security and Privacy (SP).
 S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why eve and mallory love android: An analysis of android SSL (in) security. 2012 ACM CCS.
 M. O’Neill, S. Ruoti, K. Seamons, and D. Zappala. TLS proxies: Friend or foe? In submission.
 A. Rice, E. Ellingsen, and C. Jackson. Analyzing Forged SSL Certificates in the Wild. 2014 IEEE Symposium on Security and Privacy.
## State of the Certificate Ecosystem
## Methods *
Scans from a single point
* Alexa Top 1 million scan , EFF full scan , ZMap full scan  *
Passive monitors from one or a few VP
* Munich monitors , Bro monitors  *
Mobile apps with thousands of users
* Netalyzer  *
Flash apps with millions of views
* deployed on a major web site , deployed with a Google ad  *
User surveys with thousands of users
 --- ## Ecosystem is Fragile  * 1832 CA certs, 683 orgs * Any root or intermediate CA can sign for any site, including CAs controlled by the government in [China, Syria, U.S. ...] * 3 orgs sign for 75% of all certs (single point of failure) * numerous errors --- ## Detecting attacks is hard 
*TürkTrust accidentally gave two CA certificates to customers (2013)*
*Valid certs from different roots*
*Valid cert with multiple domains*
Legitimate cert changes are very common --- ## Difficult to tell forged certs from valid certs Common benign behavior: * multiple valid roots * new intermediate CAs * country changes (1.3K in one month) * overlaps in validity period * key sharing --- ## Mobile space is wide open * certs are easy to add to Android devices  * manufacturers add them * any third party app can add them without user awareness --- ## MiTM attacks are happening * misbehaving intermediate authority (Trustweave)  * hacked authority (Comodo, DigiNotar)  * a rogue app  * personal/enterprise firewalls [6,7] * adware/malware/spammers/botnets [6,7] --- ## User opinions are nuanced  * 65% to 90% accept benevolent uses, such as scanning by employers, schools * support for proxies without notification or consent is strongest at elementary schools (45.9%) and at businesses when employees are using company-provided computers (47.9%) * strongest negative reaction to proxies is for government surveillance * 90% want notification and consent * personas: pragmatic majority (77%), privacy fundamentalist (17%), jaded (5%), unconcerned (1%) --- ## Papers
 [A thorough analysis of the X.509 PKI using active and passive measurements](http://conferences.sigcomm.org/imc/2011/docs/p427.pdf), R. Holz, L. Braun, N. Kammenhuber, and G. Carle. 2011 IMC.  [An observatory for the SSLiverse](https://www.eff.org/files/DefconSSLiverse.pdf), P. Eckersley and J. Burns. 2010 Talk at Defcon 18.  [Analysis of the HTTPS certificate ecosystem](http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf), Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. 2013 IMC.  [No Attack Necessary: The Surprising Dynamics of SSL Trust Relationships](http://www.icir.org/johanna/papers/acsac13noattacknecessary.pdf), J. Amann, R. Sommer, M. Vallentin, S. Hall. 2013 ACSAC.  [A Tangled Mass: The Android Root Certificate Stores](http://www.icir.org/johanna/papers/conext14tangledmass.pdf), Narseo Vallina-Rodriguez, Johanna Amann, Christian Kreibich, Nicholas Weaver, and Vern Paxson, 2014 CoNEXT  [Analyzing Forged SSL Certificates in the Wild](https://www.linshunghuang.com/papers/mitm.pdf), Huang, Lin Shung, Alex Rice, Erling Ellingsen, and Collin Jackson. 2014 IEEE Symposium on Security and Privacy  [TLS Proxies Friend or Foe?](http://arxiv.org/abs/1407.7146), Mark O’Neill, Scott Ruoti, Kent Seamons, and Daniel Zappala. In submission.  At Least Tell Me: User Attitudes Toward the Inspection of Encrypted Traffic, Mark O’Neill, Scott Ruoti, Kent Seamons, and Daniel Zappala. In submission.
## Current Work
## Measurements * Comprehensive view of certs seen by clients from as many vantage points as possible * measurement testbeds: Dasu/NameHelp, Ark, Atlas (deployment of 100s to 100,000s, can probe any site) * Flash/Google Adwords for non-mobile clients (deployment of millions, can probe only a handful of sites) * Android app for mobile clients (deployment of thousands, can probe any site) * Firefox and Chrome extensions in the works (deployment of ?, can probe any site) * Ideally, on same device as user, no user action required --- ## Proxy Heatmap ![heatmap](figures/heatmap_alternate.png)
Need more work to get real-time monitoring --- ## Many alternative authentication systems * certificate pinning, notaries (Convergence), DNS (DANE), certificate transp arency ## But... * very little deployment * no common platform or API --- ## TrustHub ![architecture](figures/architecture.png) * simplify deployment of authentication services * provide trust agility * OS-level protection against proxies * Linux and Android --- ## Authentication Services * curated root store * dynamic pinning of certificate bundles * crowd-sourced notary service for self-signed certs * user authentication (user to device/content)
Measurements are just another app you've downloaded and authorized --- ## Notifications * invalid certs (e.g. expired, revoked) * allow exceptions vs always block * could email domain technical contact * self-signed certs * a crowd-souced notary can inform whether you should trust it * provide certificate pinning for internal services * Lets Encrypt takes away barriers to signed certs * proxies * only allowed via an app you downloaded and authorized (e.g. anti-virus or corporate firewall) * all proxies are prevented by default * provides clear, consistent OS alerts when it is in use --- ## Usability * useful defaults so most users don't need detailed customization * actionable warnings for security violations * users tell us they want notification and consent for proxies * a majority of users *don't* proceed through warnings [1,2] * requires good design, attention to user experience * [Why Johnny Can't Encrypt, A Usability Evaluation of PGP 5.0](http://www.gaudior.net/alma/johnny.pdf) * we have an email encryption system integrated with Gmail, first to get an "A" (excellent) SUS score, 85th to 90th percentile of a large number of systems evaluated with SUS
 [Crying Wolf: An Emplirical Study of SSL Warning Effectiveness](http://static.usenix.org/legacy/events/sec09/tech/full_papers/sec09_browser.pdf), Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009 USENIX Security Symposium.
 [Alice in Warningland: A Large-scale Field Study of Browser Security Warning Effectiveness](http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/41323.pdf), Devdatta Akhawe and Adrienne Porter Felt. 2013 Usenix Security.
--- ## Daniel Zappala zappala.byu.edu firstname.lastname@example.org