Martin Georgiev
Dan Boneh
ABSTRACT
SSL (Secure Sockets Layer) is the de facto standard for secure Internet communications. Security of SSL connections against an active network attacker depends on correctly validating public-key certificates presented when the connection is established.
We demonstrate that SSL certificate validation is completely broken in many security-critical applications and libraries. Vulnerable software includes Amazon's EC2 Java library and all cloud clients based on it; Amazon's and PayPal's merchant SDKs responsible for transmitting payment details from e-commerce sites to payment gateways; integrated shopping carts such as osCommerce, ZenCart, Ubercart, and PrestaShop; AdMob code used by mobile websites; Chase mobile banking and several other Android apps and libraries; Java Web-services middleware including Apache Axis, Axis 2, Codehaus XFire, and Pusher library for Android and all applications employing this middleware. Any SSL connection from any of these programs is insecure against a man-in-the-middle attack.
The root causes of these vulnerabilities are badly designed APIs of SSL implementations (such as JSSE, OpenSSL, and GnuTLS) and data-transport libraries (such as cURL) which present developers with a confusing array of settings and options. We analyze perils and pitfalls of SSL certificate validation in software based on these APIs and present our recommendations.
- https should check CN of x509 cert. https://issues.apache.org/jira/browse/HTTPCLIENT-613.Google Scholar
- D. Brumley and D. Boneh. Remote timing attacks are practical. In USENIX Security, 2003. Google ScholarDigital Library
- S. Chen, Z. Mao, Y.-M. Wang, and M. Zhang. Pretty-Bad-Proxy: An overlooked adversary in browsers' HTTPS deployments. In S&P, 2009. Google ScholarDigital Library
- S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel leaks in Web applications: A reality today, a challenge tomorrow. In S&P, 2010. Google ScholarDigital Library
- Comodo report of incident. http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html, 2011.Google Scholar
- Diginotar issues dodgy SSL certificates for Google services after break-in. http://www.theinquirer.net/inquirer/news/2105321/ diginotar-issues-dodgy-ssl-certificates-google-services-break, 2011.Google Scholar
- P. Eckersley and J. Burns. An observatory for the SSLiverse. In DEFCON, 2010.Google Scholar
- C. Evans and C. Palmer. Certificate pinning extension for HSTS. http://www.ietf.org/mail-archive/web/websec/current/pdfnSTRd9kYcY.pdf, 2011.Google Scholar
- Fiddler - Web debugging proxy. http://fiddler2.com/fiddler2/.Google Scholar
- D. Kaminsky, M. Patterson, and L. Sassaman. PKI layer cake: new collision attacks against the global X.509 infrastructure. In FC, 2010. Google ScholarDigital Library
- Moxie Marlinspike. IE SSL vulnerability. http://www.thoughtcrime.org/ie-ssl-chain.txt, 2002.Google Scholar
- Moxie Marlinspike. Null prefix attacks against SSL/TLS certificates. http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf, 2009.Google Scholar
- Internet X.509 public key infrastructure certificate policy and certification practices framework. http://www.ietf.org/rfc/rfc2527.txt, 1999.Google Scholar
- HTTP over TLS. http://www.ietf.org/rfc/rfc2818.txt, 2000.Google Scholar
- Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. http://tools.ietf.org/html/rfc5280, 2008.Google Scholar
- The Secure Sockets Layer (SSL) protocol version 3.0. http://tools.ietf.org/html/rfc6101, 2011.Google Scholar
- Representation and verification of domain-based application service identity within Internet public key infrastructure using X.509 (PKIX) certificates in the context of Transport Layer Security (TLS). http://tools.ietf.org/html/rfc6125, 2011.Google Scholar
- M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D. Osvik, and B. Weger. Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In CRYPTO, 2009. Google ScholarDigital Library
- Q. Sun, D. Simon, Y.-M. Wang, W. Russell, V. Padmanabhan, and L. Qiu. Statistical identification of encrypted Web browsing traffic. In S&P, 2002. Google ScholarDigital Library
- CVE-2009-4831. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4831, 2009.Google Scholar
- J. Viega and M. Messier. Secure Programming Cookbook for C and C++. O'Reilly Media, 2007. Google ScholarDigital Library
- N. Vratonjic, J. Freudiger, V. Bindschaedler, and J.-P. Hubaux. The inconvenient truth about Web certificates. In WEIS, 2011.Google Scholar
- R. Wang, S. Chen, X. Wang, and S. Qadeer. How to shop for free online -- Security analysis of cashier-as-a-service based Web stores. In S&P, 2011. Google ScholarDigital Library
Index Terms
- The most dangerous code in the world: validating SSL certificates in non-browser software
Recommendations
Securing SSL Certificate Verification through Dynamic Linking
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityRecent discoveries of widespread vulnerabilities in the SSL/TLS protocol stack, particular with regard to the verification of server certificates, has left the security of the Internet's communications in doubt. Newly proposed SSL trust enhancements ...
Certification Authorities Under Attack: A Plea for Certificate Legitimation
Several recent attacks against certification authorities (CAs) and fraudulently issued certificates have put the security and usefulness of the Internet public-key infrastructure (PKI) at stake. In this article, the author argues that such attacks are ...
Analysis of the HTTPS certificate ecosystem
IMC '13: Proceedings of the 2013 conference on Internet measurement conferenceWe report the results of a large-scale measurement study of the HTTPS certificate ecosystem---the public-key infrastructure that underlies nearly all secure web communications. Using data collected by performing 110 Internet-wide scans over 14 months, ...
Comments