Vulnerabilities in Web Security Certificates

Monday, November 2, 2015 @ 11:11 AM gHale

Consumers use the Internet for banking, emailing, shopping and much more these days. With so much personal and private information transmitted over the Web, Internet users must be able to rely on and trust the sites they are accessing.

For security purposes, websites use certificates to establish encrypted communications. When a site becomes compromised, its certificate should end up revoked.

Malware Growing by the Minute
Malware Masquerades as Chrome
Exploit Kit Evades Detection ‘On Fly’
Adobe Zero Day Under Attack

There is now an end-to-end evaluation of the Web’s certificate revocation ecosystem, which includes website administrators that obtain and revoke certificates, certificate authorities that publish a list of revoked certificates, and browsers that check the revocation list to authenticate a website.

Results of the evaluation reveal website administrators are providing a large number of revoked certificates, certificate authorities are not using newer processes for distributing revocations, and Web browsers are not checking whether certificates ended up revoked. The findings indicate all participants in the revocation ecosystem must improve their performance to fulfill their responsibilities and ensure system success.

“The findings paint a bleak picture, because users put an immense amount of trust into the browsers they use and the websites they visit to do what is necessary to protect their security,” said study co-author Dave Levin, an assistant research scientist at the University of Maryland Institute for Advanced Computer Studies.

Levin conducted the study with researchers from Stanford University, Northeastern University, Duke University and Akamai Technologies.

Secure online communication requires authentication — a user’s ability to determine with whom he or she is communicating. Central to achieving authentication on the Web is a system known as the Public Key Infrastructure (PKI), which consists of certificates and encryption keys. While online use of the PKI is mostly automated, the system requires a surprising amount of human intervention to maintain the validity of the certificates.

“Revocation of certificates is critical to the security of the Web, because it is the only way to protect users from attackers who impersonate websites after a security breach, such as Heartbleed,” said Levin, referencing a widespread security bug discovered in 2014.

Heartbleed allowed malicious users to capture information that would give them the opportunity to masquerade as trusted servers and potentially steal sensitive information from unsuspecting users. In a previous paper, Levin showed few websites revoked their Heartbleed-compromised certificates and issued new ones.

“This paper builds off of my previous work on the Heartbleed vulnerability by asking: even if websites properly revoke their certificates, will browsers receive and check the certificates?” Levin said. “Unfortunately, the overwhelming answer is no.”

In the current study, Levin and his colleagues investigated the performance of website administrators, certificate authorities and Web browsers in real-life scenarios.

To evaluate how well website administrators handled revocations, the team analyzed a multi-year data set that included 74 full Internet scans. The researchers found that a large fraction of the certificates served — 8 percent – ended up revoked. By serving revoked certificates, website administrators introduce security holes, Levin said.

Next, the team evaluated the performance of certificate authorities, which usually distribute revocations to Web browsers through CRL files that contain lists of revoked certificates. The team found these files can grow to large sizes, which slow down the browser and use more bandwidth when downloaded.

The findings indicate browser developers may be trading security for better performance, Levin said. The team also found newer techniques for distributing revocations have not ended up widely implemented by certificate authorities.

Finally, the researchers investigated 30 different combinations of operating systems and Web browsers — including Chrome, Safari, Firefox and Internet Explorer — and found none of them properly checked to see whether certificates ended up revoked. In addition, mobile browsers running on iOS and Android platforms did not check for revoked certificates.

“If a browser shows the lock icon, then users believe that the page is the website it reports to be,” Levin said. “And yet, our results indicate that browsers and websites are not checking the security certificates to make sure this is true.”

Levin said this study will affect the fundamental assumptions about how the PKI works in practice.

“In the research space, we hope this will affect how other systems that rely on revocations are designed to better match the likely behavior of administrators,” Levin said.