The ICSI SSL Notary
Lessons and Insights from a Large-Scale Study of the SSL/TLS Ecosystem
Bernhard Amann
1
, Matthias Vallentin
2
, Robin Sommer
1,3
International Computer Science Institute
1
UC Berkeley
2
Lawrence Berkeley National Laboratory
3
ICSI SSL Notary
Monitor certificates in real-time
Strong research interest in SSL
Problem: lack of data
few measurements
most of them active
spanning a short time
Provide access to the community
Collection Setup
Sites running Bro network monitor
add SSL data collection script
SSL traffic identified using DPD
Result: 2 log files
uploaded to ICSI on rotation
not kept on local machine
collection script distributed via Git
ICSI has no access to raw data
Internet Link
SSL Collection
Script
Bro Server
Logfiles
Bro triggered
sftp upload
ICSI
running Bro network monitor
dd SSL data collection script
traffic identified using DPD
ult: 2 log files
oaded to ICSI on rotation
t kept on local machine
ection script distributed via Git
has no access to raw data
SSL Colle
Script
Logfiles
Interne
Bro Server
Bro triggered
sftp upload
IC
Collection Setup
Sites
a
SSL
Res
upl
no
coll
ICSI
ction
t Link
SI
Collected Features:
Available ciphers
Hash(server session ID)
Analyzer Error
Packet loss
Client TLS extensions
Selected cipher
Content length
Server certificates
Connection history
Server IP
Duration
Server Name Indication
Hash(client IP, server IP)
Ticket lifetime hint
Hash(client IP, SNI)
Timestamp
Hash(client session ID)
Version
running Bro network monitor
dd SSL data collection script
traffic identified using DPD
Result: 2 log files
oaded to ICSI on rotation
t kept on local machine
ection script distributed via Git
has no access to raw data
SSL Colle
Script
Logfiles
Interne
Bro Server
Bro triggered
sftp upload
IC
Co eng
on histor
Server IP
Transpar
Collection Setup
Sites
a
SSL
upl
no
coll
ICSI
ction
t Link
SI
w conceptually si tificatemilar to Cer
Collected Features:
Available ciphers
Hash(server session ID)
Analyzer Error
Packet loss
Client TLS extensions
Selected cipher
ntent l th
Server certificates
Connecti y
Duration
Server Name Indication
Hash(client IP, server IP)
Ticket lifetime hint
Hash(client IP, SNI)
Timestamp
Hash(client session ID)
Version
Vie ency
Notary Data Providers
Certs
Certs
Duration
Site
Users
Sessions
Total
Filtered
(days)
University 1
90,000
36M
631K
6.2G
339
University 2
50,000
569K
292K
4.7G
280
University 3
3,000
14K
8.8K
10M
142
University 4
30,000
193K
121K
517M
126
University 5
100,000
355K
195K
3.3G
118
University 6
10,000
55K
40K
468M
99
Research Lab 1
250
443K
35K
72M
350
Research Lab 2
4,000
171K
98K
747M
304
Gov. Network
50,000
137K
127K
228M
317
Backbone Net.
30,000
18K
18K
65M
107
Total (Unique)
314,250
37.5M
842K
16.3G
-
Connections per Hour
Server distribution
Top connection Ciphers
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
0 10 20
Percent of connections
Top ciphers
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
Top connection Ciphers
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
0 10 20
Percent of connections
Top ciphers
Google
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
Owner
Symantec
GoDaddy
Comodo
Symantec
GlobalSign
Comodo
DigiCert
Symantec
Symantec
Symantec
Certificate Issuers
Root
19%
GeoTrust
18%
Go Daddy
12%
AddTrust
10%
VeriSign (1)
6.1%
GlobalSign
5.0%
USERTRUST
4.6%
DigiCert
4.0%
Thawte (1)
3.8%
Thawte (2)
3.4%
VeriSign (2)
Certificate Issuers
Root
Owner
19%
GeoTrust
Symantec
18%
Go Daddy
GoDaddy
12%
AddTrust
Comodo
10%
VeriSign (1)
Symantec
6.1%
GlobalSign
GlobalSign
5.0%
USERTRUST
Comodo
4.6%
DigiCert
DigiCert
4.0%
Thawte (1)
Symantec
3.8%
Thawte (2)
Symantec
3.4%
VeriSign (2)
Symantec
Certificate Issuers
Root
Owner
Used Roots
Owner
19%
GeoTrust
Symantec
42%
13
Symantec
18%
Go Daddy
GoDaddy
20%
3
GoDaddy
12%
AddTrust
Comodo
19%
5
Comodo
10%
VeriSign (1)
Symantec
6.3%
2
GlobalSign
6.1%
GlobalSign
GlobalSign
4.6%
3
DigiCert
5.0%
USERTRUST
Comodo
3.1%
3
Entrust
4.6%
DigiCert
DigiCert
1.5%
1
StartCom
4.0%
Thawte (1)
Symantec
1.2%
3
Verizon
3.8%
Thawte (2)
Symantec
0.87%
2
Trustwave
3.4%
VeriSign (2)
Symantec
0.47%
1
Telekom
6HUYHU&$
&$
OHUL
7'&66/6HUYHU&$
0LFURVHFH6]LJQR5RRW&$
(QWUXVW&HUWLILFDWLRQ$XWKRULW\/(
9HUL6LJQ&ODVV([WHQGHG9DOLGDWLRQ66/&$
9HUL6LJQ&ODVV6HFXUH6HUYHU&$7
'LJL&HUW*OREDO&$
7'&,QWHUQHW5RRW&$
:HOOV6HFXUH3XEOLF5RRW&HUWLILFDWH$XWKRULW\
:HOOV6HFXUH&HUWLILFDWH$XWKRULW\
$GYDQFHG&ODVVH6]LJQR&$
&RUSRUDWH&$
%X\SDVV&ODVV&$
9HUL6LJQ&ODVV([WHQGHG9DOLGDWLRQ6*&&$7
'LJL&HUW*OREDO5RRW&$
7UXVWZDYH2UJDQL]DWLRQ9DOLGDWLRQ&$/HYHO
9LUJLQLD7HFK*OREDO6HUYHU&$
(QWUXVW5RRW&HUWLILFDWLRQ$XWKRULW\
9HUL6LJQ&ODVV3XEOLF3ULPDU\&HUWLILFDWLRQ$XWKRULW\*
9HUL6LJQ&ODVV([WHQGHG9DOLGDWLRQ66/6*&&$
7UXVWZDYH([WHQGHG9DOLGDWLRQ&$/HYHO
6RXWKHUQ&RPSDQ\([WHUQDO,VVXLQJ&$
*OREDO6LJQ2UJDQL]DWLRQ9DOLGDWLRQ&$*
'LJL&HUW+LJK$VVXUDQFH(9&$
7UXVWZDYH2UJDQL]DWLRQ9DOLGDWLRQ&$/HYHO
9HUL6LJQ&ODVV([WHQGHG9DOLGDWLRQ&$7
6RXWKHUQ&RPSDQ\([WHUQDO3ROLF\&$
1HW/RFN8]OHWL&ODVV%7DQXVLWYDQ\NLDGR
9HUL6LJQ&ODVV,QWHUQDWLRQDO6HUYHU&$7
:R6LJQ&ODVV296HUYHU&$
$OSKD66/&$*
7UXVWZDYH'RPDLQ9DOLGDWLRQ&$/HYHO
$77:L)L6HUYLFHV5RRW&HUWLILFDWH$XWKRULW\
(7XJUD(%*:HE6XQXFX6HUWLILND+L]PHW6DßOD\ñFñVñ
'LJL&HUW+LJK$VVXUDQFH&$
6HFXUH7UXVW&$
$XV&(576*&6HUYHU&$
7%ð7$.8(.$(.¶N6HUWLILND+L]PHW6DßOD\ñFñVñ6¼U¼P
7UXVWZDYH2UJDQL]DWLRQ,VVXLQJ&$/HYHO
*OREDO6LJQ'RPDLQ9DOLGDWLRQ&$*
*LHVHFNHDQG'HYULHQW&RUSRUDWH&$
*OREDO6LJQ5RRW6LJQ3DUWQHUV&$
(%*:HE6XQXFX6HUWLILND+L]PHW6DßOD\ñFñVñ
'67$&(6&$;
)RUG0RWRU&RPSDQ\(QWHUSULVH&$
0LFURV,QWHUQDO&$
:R6LJQ6*&6HUYHU$XWKRULW\
'LJL&HUW+LJK$VVXUDQFH(95RRW&$
(%*(OHNWURQLN6HUWLILND+L]PHW6DßOD\ñFñVñ
9LUJLQLD7HFK*OREDO5RRW&$
&HUWLILFDWLRQ$XWKRULW\RI:R6LJQ
%RR]$OOHQ+DPLOWRQ&$
*DQGL6*&66/&$
%HOJLXP5RRW&$
*OREDO6LJQ([WHQGHG9DOLGDWLRQ&$*
&LKD]6HUWLILNDVñ+L]PHW6DßOD\ñFñVñ6¼U¼P
'67$&(6'HYLFH&$$
*RYHUQPHQW&$
)RUG0RWRU&RPSDQ\(QWHUSULVH,VVXLQJ&$
*OREDO6LJQ5RRW&$
0LFURV&$
&HUWLJQD66/35,6
*OREDO6LJQ2UJDQL]DWLRQ9DOLGDWLRQ&$
$OSKD&$
*OREDO6LJQ'RPDLQ9DOLGDWLRQ&$
*RYHUQPHQW&$
9HUL6LJQ&ODVV3XEOLF3ULPDU\&HUWLILFDWLRQ$XWKRULW\
6WDUW&RP&ODVV3ULPDU\,QWHUPHGLDWH6HUYHU&$
;5DPS*OREDO&HUWLILFDWLRQ$XWKRULW\
$&)LUPDSURIHVLRQDO&$
*OREDO6LJQ([WHQGHG9DOLGDWLRQ&$
:R6LJQ&ODVV'96HUYHU&$
*OREDO6LJQ
6*758676*&&(57,),&$7,21$87+25,7<
6WDDWGHU1HGHUODQGHQ5RRW&$
7KDZWH6*&&$*
6WDUW&RP&HUWLILFDWLRQ$XWKRULW\
'5($0+26766/&$
*OREDO66/'RPDLQ9DOLGDWLRQ66/&$
6WDUW&RP&ODVV,QWHUPHGLDWH&$-DQ5DLQ,QF
5HJLVWHUFRP&$66/6HUYLFHV'9
9HUL6LJQ&ODVV6HFXUH6HUYHU&$*
H%L]1HWZRUNV&HUWLILFDWH6HUYLFHV
$XWRULGDGGH&HUWLILFDFLRQ)LUPDSURIHVLRQDO&,)$
6WDUW&RP([WHQGHG9DOLGDWLRQ6HUYHU&$
*HWURQLFV3LQN5RFFDGH3.,RYHUKHLG&$2YHUKHLGHQ%HGULMYHQ
&HUWLJQD
6WDUW&RP&ODVV3ULPDU\,QWHUPHGLDWH6HUYHU&$
871'$7$&RUS6*&
3RVLWLYH66/&$
&6366/6HUYLFH&$
78'UHVGHQ&$*
)+:)&$
+:5%HUOLQ&$
6WDUW&RP&ODVV3ULPDU\,QWHUPHGLDWH6HUYHU&$
+HOPKROW]=HQWUXPIXHU,QIHNWLRQVIRUVFKXQJ
6WDDWGHU1HGHUODQGHQ2YHUKHLG&$
FHUW6,*1(QWHUSULVH&$&ODVV
)+6:)&$
:HE6SDFH)RUXP6HUYHU&$
5%&+&+LJK$VVXUDQFH6HUYLFHV&$
7(5(1$H6FLHQFH66/&$
29+6HFXUH&HUWLILFDWLRQ$XWKRULW\
9HUL6LJQ&ODVV,QWHUQDWLRQDO6HUYHU&$*
&DPHUILUPD&RUSRUDWH6HUYHU
)DFKKRFKVFKXOH$DFKHQ&$*
9HUL6LJQ,QWHUQDWLRQDO6HUYHU&$&ODVV
7KH&RGH3URMHFW3UHPLXP66/6HFXULW\&$
:+==ZLFNDX&$
29+6HFXUH&HUWLILFDWLRQ$XWKRULW\
'.5=&$*
125'$.$'(0,(&$
&HUWLJQD66/
9HUL6LJQ&ODVV3XEOLF3ULPDU\&HUWLILFDWLRQ$XWKRULW\*
*DQGL6WDQGDUG66/&$
3UHPLXP66/*HQLH
8QLYHUVLWDHW*LHVVHQ6&$*
78'RUWPXQG&$*
'/5&$*
+RFKVFKXOH%UHPHQ&$
&KDPEHUVRI&RPPHUFH5RRW
)ODVK66/*HQLH
6*75867&(57,),&$7,21$87+25,7<
6HFXUH%XVLQHVV6HUYLFHV&$
FHUW6,*15227&$
%6%&$
+6=,*5&$
8QL:XSSHUWDO&$
8QLYHUVLWDHW2OGHQEXUJ3.,
87186(5)LUVW+DUGZDUH
2UDFOH66/&$
+RFKVFKXOH0XHQFKHQ&$
,3.*DWHUVOHEHQ&$*
2SWLPXP66/&$
580&$*=HUWLIL]LHUXQJVLQVWDQ]
5RRW&$*HQHUDOLWDW9DOHQFLDQD
78&ODXVWKDO&$*
7KDZWH6HUYHU&$
$XV&(576HUYHU&$
:R6LJQ3UHPLXP6HUYHU$XWKRULW\
+60DJGHEXUJ6WHQGDO)+&$*
3+)5&$
:HE6SDFH)RUXP(VVHQWLDO&$
(XURSHDQ66/6HUYHU&$
*6,&$
5+5.&$*
5HJLVWHUFRP&$66/6HUYLFHV29
8QLYHUVLWDHW-HQD&$*
:,6H.H\&HUWLI\,'$GYDQFHG6HUYLFHV&$
76\VWHPV6I5&$
:R6LJQ6HUYHU$XWKRULW\
7X7HFK,QQRYDWLRQ*PE+
$&&9&$
9HUL6LJQ&ODVV6HFXUH6HUYHU&$
-*8&$*
*OREDO81,78(&$
81,))0&$
&11,&'466/
'LJL6LJQ&$'LJL66/;V
+7:./HLS]LJ&$
')19HUHLQ&$6HUYLFHV
*DQGL3UR66/&$
8QLYHUVLWDHW+DOOH&$
)+0XHQVWHU&$*
1HW/RFN([SUHVV]&ODVV&7DQºVWY¡Q\NLDG³
5:7+$DFKHQ&$
:,6H.H\&HUWLI\,'$GYDQFHG*&$
+HOPKROW]=HQWUXP0XHQFKHQ&$*
'5($0+26766/'20$,19$/,'$7('&$
'LJL6LJQ&$'LJL66/;S
9HUL6LJQ&ODVV3XEOLF3ULPDU\&HUWLILFDWLRQ$XWKRULW\
'(6<&$*
&11,&66/
3+/XGZLJVEXUJ&$*
'56&$*
',:%HUOLQ&$
1HWZRUN6ROXWLRQV&HUWLILFDWH$XWKRULW\
67,)781*35(866,6&+(5.8/785%(6,7=&$
=,9,7&$*
&11,&5227
2,67(:,6H.H\*OREDO5RRW*$&$
+6)XOGD&$*
)+5HJHQVEXUJ&$
,QWHVD6DQSDROR6S$&$6HUYL]L(VWHUQL
+68&$*
75.75867(OHNWURQLN6HUWLILND+L]PHW6DßOD\ñFñVñ
*:'*&$
&$GHU8QLYHUVLWDHW%LHOHIHOG*
1HW/RFN]OHWL&ODVV%7DQºVWY¡Q\NLDG³
7L+R+DQQRYHU&$
75.75867(OHNWURQLN6XQXFX6HUWLILNDVñ+L]PHW
%9%&$
76\VWHPV6I5&$
$2/0HPEHU&$
7(5(1$66/&$
1HW/RFN$UDQ\&ODVV*ROG)đWDQºVWY¡Q\
(XURSHDQ66/+LJK$VVXUDQFH6HUYHU&$
+6:2(&$*
+I:8
&6366/6HUYLFH&$
+60DQQKHLP&$
8$8;&$
)DFKKRFKVFKXOH+DQQRYHU&$
78%&$
8QL2VQDEUXHFN5=&$*
8QL.RHOQ&$
7&7UXVW&HQWHU66/&$,
(623.,*
/5=&$*
&HUWXP([WHQGHG9DOLGDWLRQ&$
DGLGDV(0($,VVXLQJ&$
0DVWHU&DUG3XEOLF6XE&$*HQ
(XURSD8QLYHUVLWDHW9LDGULQD&$
')19HUHLQ*6&$*
&$GHU/8+8+&$*
')1:L16KXWWOH&$*
)9%HUOLQ3.,&$
)+(/&$
(TXLID[6HFXUH&HUWLILFDWH$XWKRULW\
&HUWXP7UXVWHG1HWZRUN&$
*HR7UXVW3ULPDU\&HUWLILFDWLRQ$XWKRULW\
$PHULFD2QOLQH5RRW&HUWLILFDWLRQ$XWKRULW\
0DVWHU&DUG3XEOLF5RRW&$*HQ
,QWHVD6DQSDROR6S$&$5RRW,QWHUQD
*56&$
*RRJOH,QWHUQHW$XWKRULW\
H/HDGHU*OREDO&ODVV&$Y
/08&$
8QL.LHO&$*
8QLYHUVLWDHW*RHWWLQJHQ&$
&\EHUWUXVW3XEOLF,VVXLQJ&$
+6$QKDOW&$*
(UQVW0RULW]$UQGW8QLYHUVLWDHW*UHLIVZDOG*
)+:&$
8QL.DVVHO&HUWLILFDWLRQ$XWKRULW\8QL.DVVHO&$*
81,:8(&$*
78&KHPQLW]&HUWLILFDWLRQ$XWKRULW\78&85=&$*
)DFKKRFKVFKXOH/XHEHFN&$*
+RFKVFKXOH/DXVLW]&$
03,*HPHLQVFKDIWVJXHWHU&$
78%HUJDNDGHPLH)UHLEHUJ&$78%$)&$
,QWHO([WHUQDO%DVLF,VVXLQJ&$%
+$:+DPEXUJ&$*
*OREDO8QL8OP&$
56$6HFXULW\9
,QWHO([WHUQDO%DVLF3ROLF\&$
&LVFR66&$
7DL&$6HFXUH&$
$QWKHP,QF&HUWLILFDWH$XWKRULW\
)ULW]+DEHU,QVWLWXW&$
65++RFKVFKXOH+HLGHOEHUJ&$*
*HR7UXVW([WHQGHG9DOLGDWLRQ66/&$
+$:&$
=,%&$
0LFURVRIW,QWHUQHW$XWKRULW\
H6]LJQR66/&$
)+52&$*
+HOPKROW]=HQWUXPIXHU8PZHOWIRUVFKXQJ*PE+8)=&$*
(QWUXVW&HUWLILFDWLRQ$XWKRULW\/%
*(6,6&$
,QWHO([WHUQDO%DVLF,VVXLQJ&$$
5XKU8QLYHUVLWDHW%RFKXP&$
)+22:&$*
+)8&$*
6HPSUD(QHUJ\6HFXUH6HUYHU&$
%8:HLPDU&$*
2QOLQH66/+LWHOHVWđ$OHJ\V©J2QOLQH66/&$
7HOVWUD5663ROLF\&$
=HUWLIL]LHUXQJVVWHOOHGHU780
&$8QLYHUVLWDHWGHV6DDUODQGHV
+I07+DPEXUJ&$*
=HUWLIL]LHUXQJVVWHOOH8QLYHUVLWDHW0XHQVWHU*
7HFKQLVFKH)DFKKRFKVFKXOH*HRUJ$JULFROD]X%RFKXP&$
H/HDGHU*OREDO&$Y
'LJL1RWDU6HUYLFHV&$
:=%&$
%$:&$
)$8&$
,QIR&HUW&HUWLILFDWLRQ$XWKRULW\
0LFURVRIW6HFXUH6HUYHU$XWKRULW\
,$663RWVGDP&$
7UXVWHG6HFXUH&HUWLILFDWH$XWKRULW\
)=-&HUWLILFDWLRQ$XWKRULW\*
+RFKVFKXOH2IIHQEXUJ&$
'675RRW&$;
EJUFD
6HPSUD(QHUJ\,QWHUQHW$XWKRULW\
+0,&$*
8QL'RUWPXQG&$*
1HW/RFN([SUHVV]&ODVV&7DQXVLWYDQ\NLDGR
86(57UXVW/HJDF\6HFXUH6HUYHU&$
)='&$*
DGLGDV*OREDO,QWHUPHGLDWH&$
&KDULWH&$*
KE]15:&$*
$$$&HUWLILFDWH6HUYLFHV
7HOVWUD566,VVXLQJ&$
$OIUHG:HJHQHU,QVWLWXW&$*
)HUQ8QLYHUVLWDHWLQ+DJHQ*OREDO&$
')19HUHLQ3&$*OREDO*
+*%/HLS]LJ&$*
,QVWLWXWIXHU:HOWZLUWVFKDIWDQGHU8QLYHUVLWDHW.LHO&$*
+RFKVFKXOH'HJJHQGRUI&$*
&202'23UR6HULHV6HFXUH6HUYHU&$
*HWURQLFV&63-XVWLWLH&$*
<DQGH[([WHUQDO&$
',3)&$*
8QL0DUEXUJ&$*
:HOOV)DUJR&HUWLILFDWH$XWKRULW\
')1&(576HUYLFHV*PE+&$*
(,163.,3XEOLF&HUWLILFDWLRQ$XWKRULW\
0LFURVHFH6]LJQR5RRW&$
8G.%HUOLQ&$
%6=%:&$*
)DFKKRFKVFKXOH:XHU]EXUJ6FKZHLQIXUW&$)+:6&$
08/7,&(57&$
78,OPHQDX&$
)DFKKRFKVFKXOH.LHO
8QLYHUVLWDHW3DGHUERUQ&$*
7UXVW6LJQ%5&HUWLILFDWLRQ$XWKRULW\(9
+6.$&$
)+%&$
7KH:DOW'LVQH\&RPSDQ\&$
(QWUXVWQHW6HFXUH6HUYHU&HUWLILFDWLRQ$XWKRULW\
+$:.++*&$*
7HFKQLVFKH8QLYHUVLWDHW%UDXQVFKZHLJ&$
2KP&$*
8++&$*
0DWKHPDWLVFKHV)RUVFKXQJVLQVWLWXW2EHUZROIDFKJ*PE+&$*
*HWURQLFV&632UJDQLVDWLH&$*
*7(&\EHU7UXVW*OREDO5RRW
'1%&$
7)+%HUOLQ&$
WKDZWH([WHQGHG9DOLGDWLRQ66/
&\EHUWUXVW-DSDQ3XEOLF&$
)DFKKRFKVFKXOH1RUGKDXVHQ&$*
*HR)RUVFKXQJV=HQWUXP3RWVGDP&$*
%D\HU*URXS([WHUQDO6HUYHU&$
+6$DOHQ&$*
$GYDQFHGH6]LJQR&$
+7:'UHVGHQ&$*
*OREH66/&$
,77HOHFRP*OREDO&$
)+:&$*
%/%.DUOVUXKH&$
7KH:DOW'LVQH\&RPSDQ\(QWHUSULVH&$
&$GH&HUWLILFDGRV66/(9
8QL.RQVWDQ]&$6
'HXWVFKH.LQHPDWKHN&$
7)+:LOGDX&$
%78&$*
)DFKKRFKVFKXOH/DQGVKXW&$*
WKDZWH3ULPDU\5RRW&$
=RUJ&63&$*
,]HQSHFRP
&DGHQFH,QWHUQHW$XWKRULW\
81,9(56,7$(7/(,3=,*&$
8QL5HJHQVEXUJ&$*
/6.1&$
8QL)OHQVEXUJ&$
+=%&$
([SHULDQ3ULPDU\&$
*'76XE&$3XEOLF
,13*UHLIVZDOG&$
66/FRP3UHPLXP(9&$
37%&$
)UDXQKRIHU6HUYLFH&$*
+DIHQ&LW\8QLYHUVLWDHW+DPEXUJ&$*
'HXWVFKH7HOHNRP$*/DERUDWRULHV&$*
78'&$*
8QL)5&$*
)$/XGZLJVEXUJ&$
=29$56HUYHU&$*
$FWDOLV6HUYHU$XWKHQWLFDWLRQ&$
0DUNVDQG6SHQFHU*URXSSOF([WHUQDOVXE&$
6WDDWGHU1HGHUODQGHQ2UJDQLVDWLH&$*
$HWQD,QF&HUWLILFDWH$XWKRULW\
,):'UHVGHQ&$
8QLYHUVLWDHW'XLVEXUJ(VVHQ&$*
8QLYHUVLWDHW(UIXUW&$*
*(20$5&$*
&202'2([WHQGHG9DOLGDWLRQ6HFXUH
*'7(QW6XE&$3XEOLF
03,=&$
&202'2&HUWLILFDWLRQ$XWKRULW\
6DFKVHQ*OREDO&$
8QLYHUVLWDHW3DVVDX&$*
+65:&$
66/%OLQGDGR(9
DVLJQ66/
4XR9DGLV&633.,2YHUKHLG&$*
&DPSXV%HUOLQ%XFK&$*
)+$XJVEXUJ&$*
.31&RUSRUDWH0DUNHW&632UJDQLVDWLH&$*
+7:*.1&$
0++&$
+RFKVFKXOH%RQQ5KHLQ6LHJ&$*
78++&$LQ')13.,*OREDO*
8=,UHJLVWHU6HUYHU&$*
+RFKVFKXOH+HLOEURQQ&$*
&\EHUWUXVW6XUH6HUYHU6WDQGDUG9DOLGDWLRQ&$
&$GHU8QLYHUVLWDHW]X/XHEHFN
+60HUVHEXUJ&$
&202'2+LJK$VVXUDQFH6HFXUH6HUYHU&$
([SHULDQ3UG6XE&$
0'5&$
+6:*7&$*
&RPWUXVW6HUYHU&HUWLILFDWLRQ$XWKRULW\
6LHPHQV,VVXLQJ&$&ODVV,QWHUQHW6HUYHU9
)+)UDQNIXUWD0&$
)&+&$*
9ROXVLRQ,QF'966/&$
03*&$
6WDDWGHU1HGHUODQGHQ5RRW&$*
&DGHQFH6HFXUH6HUYHU$XWKRULW\
&RP6LJQ6HFXUHG&$
'HXWVFKHU%XQGHVWDJ&$*
)DFKKRFKVFKXOH%LHOHIHOG
+RFKVFKXOHIXHU7HFKQLNXQG:LUWVFKDIW%HUOLQ
'.)=&$
)+&REXUJ&$
)+'2&$*OREDO*
+,6*PE+&$
&RP6LJQ6HUYHU&$
05*,VVXLQJ&$
+RFKVFKXOHIXHUDQJHZDQGWH:LVVHQVFKDIWHQ)++RI&$*
&RPWUXVW8VHU&HUWLILFDWLRQ$XWKRULW\
&RPWUXVW5RRW&HUWLILFDWLRQ$XWKRULW\
)+1HX8OP&$*
8QL0DJGHEXUJ&$
&\EHUWUXVW3XEOLF6XUH6HUYHU(9&$
*HR7UXVW*OREDO&$
)DFKKRFKVFKXOH*LHVVHQ)ULHGEHUJ&$*
.,7&$
(VVHQWLDO66/&$
$7UXVWQ4XDO
&\EHUWUXVW-DSDQ(9&$*
8QL%DPEHUJ&$*
0XVLNKRFKVFKXOH/XHEHFN&$*
'HXWVFKHU:HWWHUGLHQVW&$*
/X[7UXVWURRW&$
/,.$7&$
03,I*&$
*HR7UXVW66/&$
5DSLG66/(QWHUSULVH&$
'+%:&$*
8QL%Z0&$*
8QLYHUVLWDHW%RQQ&$
05*,QWHUPHGLDWH&$
,QWHUPHGLDWH&HUWLILFDWH'966/&$
+7:0&$
&202'2([WHQGHG9DOLGDWLRQ6HFXUH6HUYHU&$
&\EHUWUXVW*OREDO5RRW
'20(1<3/(9&HUWLILFDWLRQ$XWKRULW\
8QL+RKHQKHLP&$*
&HUWLQRPLV$XWRULW©5DFLQH
/HXSKDQD8QLYHUVLWDHW/XHQHEXUJ&$
8QL5RVWRFN&$*
+62:/&$*
(TXLID[6HFXUH*OREDOH%XVLQHVV&$
+(&$*
8QLYHUVLWDHW3RWVGDP&$*
*HR7UXVW'966/&$
3RVWHFRP&6
5DSLG66/&$
&\EHUWUXVW6XUH6HUYHU(9&$
*RRJOH,QF&$
-DFREV8QLYHUVLW\&$*
+RFKVFKXOH2VQDEUXHFN&$*
+8&$
7&7UXVW&HQWHU&ODVV/&$;,
&HUWLQRPLV$&©WRLOH
$FWDOLV$XWKHQWLFDWLRQ&$*
7&7UXVW&HQWHU&ODVV([WHQGHG9DOLGDWLRQ&$,,
6FKORVV'DJVWXKO/=,*PE+&$*
.DWK8QLYHUVLWDHW(LFKVWDHWW,QJROVWDGW&$*
+%&*OREDO&$*
1HW/RFN.R]MHJ\]RL&ODVV$7DQXVLWYDQ\NLDGR
/X[7UXVW4XDOLILHG&$
8QL+'&$
'LJLW3$&$
8QLYHUVLWDHW%D\UHXWK&$81,%7&$*
3++HLGHOEHUJ&$
)UHLH8QLYHUVLWDHW%HUOLQ)8&$*
7&7UXVW&HQWHU&ODVV&$,,
$&0LQLVW¨UH
&\EHUWUXVW3XEOLF6XUH6HUYHU69&$
%XQGHVDPWIXHU.DUWRJUDSKLHXQG*HRGDHVLH&$
8QLYHUVLWDHW6WXWWJDUW&$*
6ZLVV6LJQ*ROG&$*
8QLYHUVLWDHW%UHPHQ&$
&$&DPHUILUPD([SUHVV&RUSRUDWH6HUYHU
'LJL&HUW$VVXUHG,'5RRW&$
.(<1(&7,6([WHQGHG9DOLGDWLRQ&$
7HOH6HF6HUYHU3DVV&$
&HUWXP/HYHO,,&$
$&5DFLQH
8QL6LHJHQ&$*
&HUWXP/HYHO,9&$
8QL'XHVVHOGRUI&$*
$&&$0(5),50$$$33
)+)OHQVEXUJ&$*
0,1(),$&7(/(352&('85(6
$&6HUYHXUV
,*&$
&$GHU8QLYHUVLWDHW]X/XHEHFN
)UDXQKRIHU5RRW&$
&HUWXP&$
+RFKVFKXOH'DUPVWDGW
1HWZRUN6ROXWLRQV(966/&$
-DFN+HQU\*URXS&$,
1HVWOH([WHUQDO&$
6LHPHQV,QWHUQHW&$9
')1&$*OREDO
'HXWVFKH7HOHNRP5RRW&$
%DOWLPRUH&\EHU7UXVW5RRW
'LJL&HUW$VVXUHG,'&$
&HUWXP/HYHO,,,&$
$&5DFLQH
&\EHUWUXVW-DSDQ3XEOLF&$*
)UDXQKRIHU6HUYLFH&$
0,1(),$8725,7('(&(57,),&$7,215$&,1(
$&&DPHUILUPD([SUHVV&RUSRUDWH6HUYHUY
&ODVV3ULPDU\&$
*R'DGG\&ODVV&HUWLILFDWLRQ$XWKRULW\
$&-25DFLQH
-DFN+HQU\$SSOLFDWLRQ&$,
&HUWXP*OREDO6HUYLFHV&$
6KRSHUn66/
$&0LQLVWHUH6HFWHXUSXEOLFGHYHORSSHPHQWGXUDEOH
6LHPHQV,VVXLQJ&$&ODVV,QWHUQHW6HUYHU
6KDUHG%XVLQHVV&$
7:&$6HFXUH&$
$&',/$,QIUD
&KDPEHUVRI&RPPHUFH5RRW
7&7UXVW&HQWHU&ODVV/&$,;
&/$66.(<1(&7,6&$
$&,QIUDVWUXFWXUH
7:&$6HFXUH&HUWLILFDWLRQ$XWKRULW\
7%6;&$6*&
9HUL6LJQ&ODVV6HFXUH2);&$*
$&6HUYHXUV6HFWHXUSXEOLFGHYHORSSHPHQWGXUDEOH
1HWZRUN6ROXWLRQV&HUWLILFDWH$XWKRULW\
$&5DFLQH6HFWHXUSXEOLFGHYHORSSHPHQWGXUDEOH
7&7UXVW&HQWHU8QLYHUVDO&$,
9HUL6LJQ&ODVV3XEOLF3ULPDU\&HUWLILFDWLRQ$XWKRULW\*
$&&(57,120,666/
$GPLQ&$&'7
*OREH66/&$
9HUL6LJQ&ODVV6HFXUH6HUYHU&$*
$$$&HUWLILFDWH6HUYLFHV
7&7UXVW&HQWHU&ODVV&$,,
6WDUILHOG6HFXUH&HUWLILFDWLRQ$XWKRULW\
86(57UXVW+LJK$VVXUDQFH6HFXUH6HUYHU&$
1HWZRUN6ROXWLRQV(96HUYHU&$
7KDZWH66/&$
*R'DGG\6HFXUH&HUWLILFDWLRQ$XWKRULW\
9HUL6LJQ&ODVV6HFXUH6HUYHUELW&$*
,QQR66/7UXVW6LJQ'9&HUWLILFDWLRQ$XWKRULW\
7&7UXVW&HQWHU&ODVV,,/&$,9
6XQ0LFURV\VWHPV,QF66/&$
&UD]\'RPDLQV29&HUWLILFDWLRQ$XWKRULW\
KWWSZZZYDOLFHUWFRP
3RVLWLYH66/&$
9LVDH&RPPHUFH5RRW
7UXVWHG6HFXUH&HUWLILFDWH$XWKRULW\
8,6,QW%&$
7KDZWH3UHPLXP6HUYHU&$
66/%OLQGDGR
8,6,VX%&$
66/FRP+LJK$VVXUDQFH&$
7KDZWH'966/&$
6WDUILHOG6HFXUH&HUWLILFDWLRQ$XWKRULW\
H9LVD
(QWUXVW&HUWLILFDWLRQ$XWKRULW\/&
7KDZWH6*&&$
6WDUILHOG&ODVV&HUWLILFDWLRQ$XWKRULW\
6HFXUH%XVLQHVV6HUYLFHV&$
-XXU6.
(QWUXVWQHW&HUWLILFDWLRQ$XWKRULW\
,QQR66/7UXVW6LJQ29&HUWLILFDWLRQ$XWKRULW\
./$666.
(QWUXVW(GXFDWLRQ6KDUHG6HUYLFH3URYLGHU
7UHQG0LFUR&$
$GG7UXVW([WHUQDO&$5RRW
&202'2+LJK$VVXUDQFH6HFXUH6HUYHU&$
(QWUXVW0DQDJHG6HUYLFHV&RPPHUFLDO3XEOLF5RRW&$
$IILUP7UXVW1HWZRUNLQJ
86(57UXVW6HFXUH6HUYHU&$
:HOOV)DUJR5RRW&HUWLILFDWH$XWKRULW\
7%6;&$SURKRVWLQJ
6HFXUH6LJQ3XEOLF&$
7KH:DOW'LVQH\&RPSDQ\,VVXLQJ&$
'LJL&HUW*OREDO&$
*OREH66/&$
:HOOV)DUJR(QWHUSULVH&$
0DUNHW:DUH6HUYHU&$
1HWZRUN6ROXWLRQV'96HUYHU&$
7KH:DOW'LVQH\&RPSDQ\5RRW&$
%X\SDVV&ODVV&$
&202'266/&$
'20(1<3/29&HUWLILFDWLRQ$XWKRULW\
&UD]\'RPDLQV'9&HUWLILFDWLRQ$XWKRULW\
66/FRP)UHH66/&$
6HFXUH6LJQ5RRW&$
7%6;&$EXVLQHVV
+RQJNRQJ3RVWH&HUW&$
+RQJNRQJ3RVW5RRW&$
,Q&RPPRQ6HUYHU&$
*OREDO7UXVW&HUWLILFDWLRQ$XWKRULW\
'20(1<3/'9&HUWLILFDWLRQ$XWKRULW\
7UXVW6LJQ%5&HUWLILFDWLRQ$XWKRULW\29
LFHZDUSFRP,FH:DUS'RPDLQ9DOLGDWLRQ&HUWLILFDWLRQ$XWKRULW\
&202'266/&$
http://notary.icsi.berkeley.edu/trust-tree
CA Incidents: Türktrust
Attacked clients' view
TÜRKTRUST Root
TÜRKTRUST
Intermediate
*.ego.gov.tr
…bankasi.org
*.
google.com
World view
Equifax Root
Google CA
*.google.com
Türktrust issued two CA certificates to two of their customers
Reason: wrong profiles were copied between test and production
At some point one of the sites apparently noticed
...and began to MITM their local users
CA Attacks: RapidSSL, Flame
RapidSSL: MD5 collision attack
GeoTrust Global CA
Demonstrated at CCC
Not enough certificate entropy
Predicatable serial & timestamp
RapidSSL
CA
Equifax
Repeated by flame
with higher amount of entropy
Same Hash
…shirt.phreedom.org
Attackers had to predict
timestamp with millisecond
resolution
Other CA Incidents
UTN-USERFirst-Hardware
Comodo: certificates for
google, mozilla, live.com,
login.yahoo.com www.google.com
skype, ...
login.skype.com
DigiNotar: completely compromised CA
*.
google.com, *.skype.com, *.*.com
intermediate CAs
enabled for EV
Trustwave: issued intermediate CA for DLP system
Changes in January 2013
741,424 total certificates
489,551 valid
80,477 new
54,321 validate correctly
40,885 are for “new” domains
9,400 match exactly one other certificate
1,382 match more than 20
224 match more than 100
Legitimate Changes: Foursquare
GlobalSign Root
DigiCert Root
*.foursquare.com
*.foursquare.com
*.foursquare.com
DigiCert
Akamai
GTE CyberTrust Root
GlobalSign
Several well-known certificates
Suddenly a new certificate for the same domain
appears
Other Changes we see
Old certificate New certificate
New intermediates for
Entrust
Digital Signature Trust
known domains
Entrust Identrust
Suddenly appearing new
…delaware.gov
certificates for banks,
…delaware.gov
e.g. americanexpress.com
Switches of CA countries
nova scotia department of education,
privacybox.de to Israel
zekur.nl from US to Bermudas
Validity Overlap
0.00
0.25
0.50
0.75
1.00
ECDF
365 730 1095 1460
Time (days)
Proposed Remedies
User-side monitoring
Monitoring for CA country changes
Notary systems
Certificate Transparency
Proposed Remedies
User-side monitoring
Monitoring for CA country changes
Not practical
Notary systems
Certificate Transparency
Proposed Remedies
User-side monitoring
Monitoring for CA country changes
Notary systems
Not practical
Privacy and other problems
Certificate Transparency
er-side monitoring
onitoring for CA country changes
otary systems
tificate Transparency
Proposed Remedies
Us
M
N
Cer
Not practical
CT opens up possibilities...
parties can prove possession of old keys
to CA while requesting certificate
in new certificate extension
or pin new key to their domain
Summary
Our notary is an on-going large-scale
measurement effort
It seems impractical to spot malicious
certificates using only structural properties
Resolving these problems involves multiple
actors
