research-article

Public Access

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem

Authors:

Frank Cangialosi,

Taejoong Chung,

David Choffnes,

Bruce M. Maggs,

Christo WilsonAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 628 - 640

https://doi.org/10.1145/2976749.2978301

Published: 24 October 2016 Publication History

Abstract

The semantics of online authentication in the web are rather straightforward: if Alice has a certificate binding Bob's name to a public key, and if a remote entity can prove knowledge of Bob's private key, then (barring key compromise) that remote entity must be Bob. However, in reality, many websites' and the majority of the most popular ones-are hosted at least in part by third parties such as Content Delivery Networks (CDNs) or web hosting providers. Put simply: administrators of websites who deal with (extremely) sensitive user data are giving their private keys to third parties. Importantly, this sharing of keys is undetectable by most users, and widely unknown even among researchers. In this paper, we perform a large-scale measurement study of key sharing in today's web. We analyze the prevalence with which websites trust third-party hosting providers with their secret keys, as well as the impact that this trust has on responsible key management practices, such as revocation. Our results reveal that key sharing is extremely common, with a small handful of hosting providers having keys from the majority of the most popular websites. We also find that hosting providers often manage their customers' keys, and that they tend to react more slowly yet more thoroughly to compromised or potentially compromised keys.

References

[1]

D. Akhawe, B. Amann, M. Vallentin, and R. Sommer. Here's My Cert, So Trust Me, Maybe?: Understanding TLS Errors on the Web. WWW, 2013.

Digital Library

[2]

A. Bates, J. Pletcher, T. Nichols, B. Hollembaek, and K. R.B. Butler. Forced Perspectives: Evaluating an SSL Trust Enhancement at Scale. IMC, 2014.

Digital Library

[3]

V. D. Blondel, J.-L. Guillaume, R. Lambiotte, and E. Lefebre. Fast unfolding of community hierarchies in large networks. Journal of Statistical Mechanics: Theory and Experiment, 10(10), 2008.

[4]

D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, IETF, 2008. http://www.ietf.org/rfc/rfc5280.txt.

[5]

K. Chen, D. Choffnes, R. Potharaju, Y. Chen, F. Bustamante, D. Pei, and Y. Zhao. Where the Sidewalk Ends: Extending the Internet as Graph Using Traceroutes from P2P Users. IEEE ToC, 4(63), 2014.

Digital Library

[6]

T. Chung, Y. Liu, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. Measuring and Applying Invalid SSL Certificates: The Silent Majority. IMC, 2016.

Digital Library

[7]

CAIDA Routeviews Prefix to AS Mappings Dataset. http://www.caida.org/data/routing/routeviews-prefix2as.xml.

[8]

CAIDA AS Organizations Dataset. http://www.caida.org/data/as-organizations/.

[9]

CloudFlare Keyless SSL. https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/.

[10]

CloudFlare support: How do I upload a custom SSL certificate? https://support.cloudflare.com/hc/en-us/articles/200170466-How-do-I-upload-a-custom-SSL-certificate-Business-or-Enterprise-only- https://support.cloudflare.com/hc/en-us/articles/200170466-How-do-I-upload-a-custom-hrefhttps://support.cloudflare.com/hc/en-us/articles/200170466-How-do-I-upload-a-custom-SSL-certificate-Business-or-Enterprise-only-SSL-certificate-Business-or-Enterprise-only-.

[11]

Convergence. http://convergence.io.

[12]

L. Daigle. WHOIS Protocol Specification. RFC 3912, IETF, 2004. http://www.ietf.org/rfc/rfc3912.txt.

[13]

N. David, F. Alessandro, L. Ilias, G. Yan, M. Marco, M. Maurizio, P. Konstantina, and S. Peter. The cost of the S in HTTPS. CoNEXT, 2014.

[14]

Z. Durumeric, J. Kasten, D. Adrian, J. A. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, and V. Paxson. The Matter of Heartbleed. IMC, 2014.

Digital Library

[15]

Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS Certificate Ecosystem. IMC, 2013.

Digital Library

[16]

EFF SSL Observatory. https://www.eff.org/observatory.

[17]

R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL Landscape -- A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements. IMC, 2011.

Digital Library

[18]

Heartbleed Bug. http://heartbleed.com.

[19]

B. Laurie, A. Langley, and E. Kasper. Certificate Transparency. RFC 6962, IETF, 2013. http://www.ietf.org/rfc/rfc6962.txt.

[20]

G. Lord. Secure CDN: new certificate options now available. Akamai blog, 2015.hrefhttps://community.akamai.com/community/whatsnew/blog/2016/02/05/new-secure-cdn-offerings-now-availablehttps://community.akamai.com/\hrefhttps://community.akamai.com/community/whatsnew/blog/2016/02/05/new-secure-cdn-offerings-now-availablecommunity/whatsnew/blog/2016/02/05/new-secure-cdn-offerings-now-available.

[21]

J. Liang, J. Jiang, H. Duan, K. Li, T. Wan, and J. Wu. When HTTPS meets CDN: A Case of Authentication in Delegated Service. IEEE S&P, 2014.

Digital Library

[22]

S. Liu, I. Foster, S. Savage, G. M. Voelker, and L. K. Saul. Who is. com? Learning to Parse WHOIS Records. IMC, 2015.

Digital Library

[23]

Y. Liu, W. Tome, L. Zhang, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, A. Schulman, and C. Wilson. An End-to-End Measurement of Certificate Revocation in the Web's PKI. IMC, 2015.

Digital Library

[24]

List of Autonomous Systems. http://www.cidr-report.org/as2.0/autnums.html.

[25]

OS X Yosemite: List of available trusted root certificates. https://support.apple.com/en-us/HT202858.

[26]

H. Perl, S. Fahl, and M. Smith. You Won't Be Needing These Any More: On Removing Unused Certificates from Trust Stores. FC, 2014.

[27]

Rapid7 Reverse DNS Scans. https://scans.io/study/sonar.rdns.

[28]

Rapid7 SSL Certificate Scans. https://scans.io/study/sonar.ssl.

[29]

The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698, IETF, 2012. https://tools.ietf.org/html/rfc6698.

[30]

B. VanderSloot, J. Amann, M. Bernhard, Z. Durumeric, M. Bailey, and J. A. Halderman. Towards a Complete View of the Certificate Ecosystem. IMC, 2016.

Digital Library

[31]

N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson. A Tangled Mass: The Android Root Certificate Stores. CoNEXT, 2014.

Digital Library

[32]

S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. IMC, 2009.

Digital Library

[33]

L. Zhang, D. Choffnes, T. Dumitras, D. Levin, A. Mislove, A. Schulman, and C. Wilson. Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. IMC, 2014.

Digital Library

Cited By

Zineddine AChakir OSadqi YMaleh YSingh Gaba GGurtov ADev K(2024)A systematic review of cybersecurity assessment methods for HTTPSComputers and Electrical Engineering10.1016/j.compeleceng.2024.109137115:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.compeleceng.2024.109137
Yoon DChung TKim Y(2023)Delegation of TLS Authentication to CDNs using Revocable Delegated CredentialsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627144(113-123)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627144
Dong HShu HPrakash VZhang YParacha MChoffnes DTorres-Arias SHuang DSun YMontpetit MLeivadeas AUhlig SJaved M(2023)Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the WildProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624815(457-477)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624815
Show More Cited By

Index Terms

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem
1. Networks
  1. Network performance evaluation
    1. Network measurement
  2. Network properties
    1. Network security
      1. Web protocol security
2. Security and privacy
  1. Cryptography
    1. Key management
  2. Human and societal aspects of security and privacy
    1. Economics of security and privacy

Recommendations

Analysis of the HTTPS certificate ecosystem
IMC '13: Proceedings of the 2013 conference on Internet measurement conference

We report the results of a large-scale measurement study of the HTTPS certificate ecosystem---the public-key infrastructure that underlies nearly all secure web communications. Using data collected by performing 110 Internet-wide scans over 14 months, ...
An End-to-End Measurement of Certificate Revocation in the Web's PKI
IMC '15: Proceedings of the 2015 Internet Measurement Conference

Critical to the security of any public key infrastructure (PKI) is the ability to revoke previously issued certificates. While the overall SSL ecosystem is well-studied, the frequency with which certificates are revoked and the circumstances under which ...
Measuring and Applying Invalid SSL Certificates: The Silent Majority
IMC '16: Proceedings of the 2016 Internet Measurement Conference

SSL and TLS are used to secure the most commonly used Internet protocols. As a result, the ecosystem of SSL certificates has been thoroughly studied, leading to a broad understanding of the strengths and weaknesses of the certificates accepted by most ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
2,352
Total Downloads

Downloads (Last 12 months)310
Downloads (Last 6 weeks)41

Reflects downloads up to 10 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zineddine AChakir OSadqi YMaleh YSingh Gaba GGurtov ADev K(2024)A systematic review of cybersecurity assessment methods for HTTPSComputers and Electrical Engineering10.1016/j.compeleceng.2024.109137115:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.compeleceng.2024.109137
Yoon DChung TKim Y(2023)Delegation of TLS Authentication to CDNs using Revocable Delegated CredentialsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627144(113-123)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627144
Dong HShu HPrakash VZhang YParacha MChoffnes DTorres-Arias SHuang DSun YMontpetit MLeivadeas AUhlig SJaved M(2023)Behind the Scenes: Uncovering TLS and Server Certificate Practice of IoT Device Vendors in the WildProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624815(457-477)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624815
Papadogiannakis EPapadopoulos PP. Markatos EKourtellis N(2023)Who Funds Misinformation? A Systematic Analysis of the Ad-related Profit Routines of Fake News SitesProceedings of the ACM Web Conference 202310.1145/3543507.3583443(2765-2776)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583443
Shobiri BMannan MYoussef A(2023)CDNs’ Dark Side: Security Problems in CDN-to-Origin ConnectionsDigital Threats: Research and Practice10.1145/34994284:1(1-22)Online publication date: 7-Mar-2023
https://dl.acm.org/doi/10.1145/3499428
Han JYun IKim SKim TSon SHan D(2023)Scalable and Secure Virtualization of HSM With ScaleTrustIEEE/ACM Transactions on Networking10.1109/TNET.2022.322042731:4(1595-1610)Online publication date: Aug-2023
https://doi.org/10.1109/TNET.2022.3220427
Farhan SChung T(2023)Exploring the Evolution of TLS CertificatesPassive and Active Measurement10.1007/978-3-031-28486-1_4(71-84)Online publication date: 21-Mar-2023
https://dl.acm.org/doi/10.1007/978-3-031-28486-1_4
Xin RLin SYang X(2023)Quantifying User Password Exposure to Third-Party CDNsPassive and Active Measurement10.1007/978-3-031-28486-1_27(652-668)Online publication date: 21-Mar-2023
https://dl.acm.org/doi/10.1007/978-3-031-28486-1_27
Choo ENabeel MAlsabah MKhalil IYu TWang W(2022)DeviceWatch: A Data-Driven Network Analysis Approach to Identifying Compromised Mobile Devices with Graph-InferenceACM Transactions on Privacy and Security10.1145/355876726:1(1-32)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3558767
Nawrocki MTehrani PHiesgen RMücke JSchmidt TWählisch MBianchi GMei A(2022)On the interplay between TLS certificates and QUIC performanceProceedings of the 18th International Conference on emerging Networking EXperiments and Technologies10.1145/3555050.3569123(204-213)Online publication date: 30-Nov-2022
https://dl.acm.org/doi/10.1145/3555050.3569123
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents