Analysis of SSL certificate reissues and revocations in the wake of Heartbleed Liang Zhang*, David Choffnes*, Tudor Dumitras†, Dave Levin†, Alan Mislove*, Aaron Schulman‡, Christo Wilson* *Northeastern University †University of Maryland ‡Stanford University Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website 2 Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website Vetting Trust Certificate Authority 2 Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website Certificate Vetting Trust Certificate Authority 2 Public Key Infrastructures (PKIs) Browser Website ? Certificate Attacker What needs to do when a certificate is no longer valid? 2 Certificate revocation is a critical part of any PKI 3 Certificate revocation is a critical part of any PKI ✗ Certificate Administrators must revoke and reissue as quickly as possible 3 Certificate revocation is a critical part of any PKI ✗ Certificate Administrators must revoke and reissue as quickly as possible Authority publish revocations via CRL as quickly as possible 3 Certificate revocation is a critical part of any PKI ✗ Certificate Administrators must revoke and reissue as quickly as possible Authority publish revocations via CRL as quickly as possible Browsers should obtain revocations as often as possible 3 Certificate revocation is a critical part of any PKI ✗ Certificate Administrators must revoke and reissue as quickly as possible Authority publish revocations via CRL as quickly as possible Browsers should obtain revocations as often as possible In practice: How quickly and thoroughly do administrators act? 3 Heartbleed Allows attackers to extract up to 216-1 bytes of memory with a single heartbeat message 4 Heartbleed Allows attackers to extract up to 216-1 bytes of memory with a single heartbeat message April 7 Every vulnerable website should have: 1 Patched 2 Revoked 3 Reissued 4 Heartbleed Allows attackers to extract up to 216-1 bytes of memory with a single heartbeat message April 7 Every vulnerable website should have: 1 Patched 2 Revoked 3 Reissued Heartbleed is a natural experiment: For studying SSL certificate reissues and revocations 4 Outline 1. Motivation 2. Data and methodology 3. Analysis 5 Dataset Rapid7 data 19.4M certs ~1/wk Oct’13 - Apr’14 6 Dataset 1.5M certs Alexa Top-1M Rapid7 data 19.4M certs ~1/wk Oct’13 - Apr’14 filter CAs ~9k certs 6 Dataset 1.5M certs Alexa Top-1M Rapid7 data 19.4M certs ~1/wk Oct’13 - Apr’14 filter validate CAs ~9k certs Leaf Set 628k certs 166k domains 6 Dataset 1.5M certs Alexa Top-1M Rapid7 data 19.4M certs ~1/wk Oct’13 - Apr’14 filter validate CAs ~9k certs Leaf Set 628k certs 166k domains • Download CRLs • Detect Heartbleed vulnerability 6 Identifying reissues Number of Unique Hosts Advertising Certificate m.scotrail.co.uk 20 18 16 14 12 10 8 6 4 2 0 11/2013 12/2013 01/2014 02/2014 03/2014 Date 04/2014 05/2014 7 Identifying reissues Number of Unique Hosts Advertising Certificate m.scotrail.co.uk 20 18 16 14 12 10 8 6 4 2 0 11/2013 Birth 12/2013 Birth 01/2014 02/2014 03/2014 Date 04/2014 05/2014 First crawl we see it announced 7 Identifying reissues Number of Unique Hosts Advertising Certificate m.scotrail.co.uk 20 18 16 14 12 10 8 6 4 2 0 11/2013 Death Birth 12/2013 01/2014 Death 02/2014 03/2014 Date 04/2014 05/2014 First crawl with ≤10% still announcing it 7 Identifying reissues Number of Unique Hosts Advertising Certificate m.scotrail.co.uk 20 18 16 14 12 10 8 6 4 2 0 11/2013 Death Birth Death Forgotten? 12/2013 01/2014 02/2014 03/2014 Date 04/2014 05/2014 First crawl with ≤10% still announcing it 7 Identifying reissues Number of Unique Hosts Advertising Certificate m.scotrail.co.uk 20 18 16 14 12 10 8 6 4 2 0 11/2013 Reissue Birth Death Forgotten? 12/2013 Reissue 01/2014 02/2014 03/2014 Date 04/2014 05/2014 Birth + death + we see a host swap 7 Attributing reissues to Heartbleed 8 Attributing reissues to Heartbleed 1 Reissued on or after April 7 8 Attributing reissues to Heartbleed 1 Reissued on or after April 7 2 Expiration date >60 days away 8 Attributing reissues to Heartbleed 1 Reissued on or after April 7 2 Expiration date >60 days away 1 CDF 0.8 0.6 0.4 0.2 0 400 350 300 250 200 150 100 Days before Certificate Expiry 50 0 8 Attributing reissues to Heartbleed 1 Reissued on or after April 7 2 Expiration date >60 days away 1 CDF 0.8 0.6 0.4 0.2 0 400 350 300 250 200 150 100 Days before Certificate Expiry 50 0 8 Attributing reissues to Heartbleed 1 Reissued on or after April 7 2 Expiration date >60 days away 3 Domain reissues <1 time per 2mos 8 Number of Unique Hosts Advertising Certificate Attributing reissues to Heartbleed 1 Reissued on or after April 7 2 Expiration date >60 days away 3 Domain reissues <1 time per 2mos www.google.com 3500 3000 2500 2000 1500 1000 500 0 11/2013 12/2013 01/2014 02/2014 03/2014 Date 04/2014 05/2014 8 Outline 1. Motivation 2. Data and methodology 3. Analysis 9 Outline 1. Motivation 2. Data and methodology 3. Analysis April 7 Every vulnerable website should have: 1 Patched 2 Revoked 3 Reissued 9 Prevalence and patch rates Fraction of Domains 0.6 Was ever vulnerable Still vulnerable on 2014-04-30 0.5 0.4 0.3 0.2 0.1 0 0 200k 400k 600k 800k Alexa Site Rank (bins of 10,000) 1M 10 Prevalence and patch rates Fraction of Domains 0.6 Was ever vulnerable Still vulnerable on 2014-04-30 0.5 0.4 0.3 0.2 0.1 0 0 200k 400k 600k 800k Alexa Site Rank (bins of 10,000) 1M 10 Prevalence and patch rates Fraction of Domains 0.6 Was ever vulnerable Still vulnerable on 2014-04-30 0.5 0.4 0.3 0.2 0.1 0 0 200k 400k 600k 800k Alexa Site Rank (bins of 10,000) 1M Patching rates are mostly positive ~6% still vulnerable after 3 weeks 10 Frac. of Vulnerable Certs not Revoked/Reissued Certificate revocation rates 1 0.95 0.9 0.85 0.8 0.75 0.7 0.65 04/07 04/11 04/15 04/19 Date 04/23 04/27 11 Frac. of Vulnerable Certs not Revoked/Reissued Certificate revocation rates 1 Ideal 0.95 0.9 0.85 0.8 0.75 0.7 0.65 04/07 04/11 04/15 04/19 Date 04/23 04/27 11 Frac. of Vulnerable Certs not Revoked/Reissued Certificate revocation rates 1 Ideal 0.95 Not revoked (all) 0.9 0.85 0.8 Not reissued (all) 0.75 0.7 0.65 04/07 04/11 04/15 04/19 Date 04/23 04/27 11 Frac. of Vulnerable Certs not Revoked/Reissued Certificate revocation rates 1 Ideal 0.95 Not revoked (all) 0.9 0.85 0.8 Not reissued (all) 0.75 0.7 0.65 04/07 04/11 04/15 04/19 Date 04/23 04/27 Exponential drop-off, then levels out After 3 weeks: 13% Revoked 11 Number of Domains/Day How quickly were certs revoked? 1200 1000 800 600 400 200 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date 12 Number of Domains/Day How quickly were certs revoked? 1200 1000 800 600 400 200 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date Reaction ramps up quickly 12 Number of Domains/Day How quickly were certs revoked? 1200 1000 800 600 400 200 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date Reaction ramps up quickly 12 Number of Domains/Day How quickly were certs revoked? 1200 1000 Weekends 800 600 400 200 0 03/01 03/08 03/15 03/22 03/29 04/05 04/12 04/19 04/26 Date Reaction ramps up quickly Security takes the weekends off 12 Frac. of Vulnerable Certs not Revoked/Reissued Certificate reissue rates 1 Ideal 0.95 Not revoked (all) 0.9 0.85 0.8 0.75 0.7 0.65 04/07 04/11 04/15 04/19 Date 04/23 04/27 13 Frac. of Vulnerable Certs not Revoked/Reissued Certificate reissue rates 1 Ideal 0.95 Not revoked (all) 0.9 0.85 0.8 Not reissued (all) 0.75 0.7 0.65 04/07 04/11 04/15 04/19 Date 04/23 04/27 Compared to revocations: Similar pattern but better reissue rate After 3 weeks: 27% Reissued 13 Frac. of Vulnerable Certs not Revoked/Reissued Certificate reissue rates 1 0.95 0.9 Optimistic Not revoked (all) 0.85 0.8 Not reissued (all) 0.75 0.7 0.65 04/07 04/11 04/15 04/19 Date 04/23 04/27 Compared to revocations: Similar pattern but better reissue rate After 3 weeks: 27% Reissued 13 Fraction of New Certificates Reissued with the Same Key Reissue New key? 0.6 0.5 0.4 0.3 0.2 0.1 0 11/2013 All reissues Heartbleed-induced reissues 12/2013 01/2014 02/2014 03/2014 Date of Birth 04/2014 05/2014 14 Fraction of New Certificates Reissued with the Same Key Reissue New key? 0.6 0.5 0.4 0.3 0.2 0.1 0 11/2013 All reissues Heartbleed-induced reissues 12/2013 01/2014 02/2014 03/2014 Date of Birth 04/2014 05/2014 14 Fraction of New Certificates Reissued with the Same Key Reissue New key? 0.6 0.5 0.4 0.3 0.2 0.1 0 11/2013 All reissues Heartbleed-induced reissues 12/2013 01/2014 02/2014 03/2014 Date of Birth 04/2014 05/2014 Reissuing the same key is common practice 4.1% Heartbleed-induced with same key 14 Popularity Fraction of Sites with Heartbleed-induced Reissue/Revocation 0.3 Better reaction? Reissue Revocation 0.25 0.2 0.15 0.1 0.05 0 0 200k 400k 600k 800k Alexa Alexa Site Site Rank(bins Rank (binsofof10,000) 1000) 1M 15 Popularity Fraction of Sites with Heartbleed-induced Reissue/Revocation 0.3 Better reaction? Reissue Revocation 0.25 0.2 0.15 0.1 0.05 0 0 200k 400k 600k 800k Alexa Alexa Site Site Rank(bins Rank (binsofof10,000) 1000) 1M 15 Popularity Fraction of Sites with Heartbleed-induced Reissue/Revocation 0.3 Better reaction? Reissue Revocation 0.25 0.2 0.15 0.1 0.05 0 0 200k 400k 600k 800k Alexa Alexa Site Site Rank(bins Rank (binsofof10,000) 1000) 1M Administrators of even highly popular websites aren’t doing what the PKI needs them to do 15 EV Certificates More thorough vetting process of CAs and clients Extended Validation Normal 16 EV Certificates More thorough vetting process of CAs and clients Extended Validation Normal Does the more thorough vetting process translate into better security practices? 16 Frac. of Vulnerable Certs not Revoked/Reissued Are EV certs better managed? 1 0.95 Not revoked (all) 0.9 0.85 0.8 0.75 Not reissued (all) 0.7 0.65 04/07 04/11 04/15 04/19 Date 04/23 04/27 Frac. of Vulnerable Certs not Revoked/Reissued Are EV certs better managed? 1 0.95 Not revoked (all) 0.9 0.85 Not revoked (EV) 0.8 0.75 Not reissued (all) 0.7 0.65 04/07 Not reissued (EV) 04/11 04/15 04/19 Date 04/23 04/27 EV certs exhibit slightly better rates (8% reissue) Can we wait for expiration? 1 CDF 0.8 0.6 0.4 0.2 0 0 1 2 3 4 Years of Remaining Validity 5 6 18 Can we wait for expiration? Vulnerable but not revoked 1 CDF 0.8 0.6 0.4 0.2 0 0 1 2 3 4 Years of Remaining Validity 5 6 18 Can we wait for expiration? Vulnerable but not revoked 1 CDF 0.8 0.6 ~40% of vulnerable certs will not expire for over 1 year 0.4 0.2 0 0 1 2 3 4 Years of Remaining Validity 5 6 18 Can we wait for expiration? Vulnerable but not revoked 1 CDF 0.8 0.6 ~40% of vulnerable certs will not expire for over 1 year 0.4 0.2 0 0 1 2 3 4 Years of Remaining Validity 5 6 We may be dealing with Heartbleed for years 18 In the paper • Most reason codes are incorrect • Revocation and reissue are not simultaneous • CAs update CRLs in hours • Heartbleed induce more retired certificates revocations and more … 19 Summary • First study focus on certificates reissues and revocations • Large-scale measurements • Developed new methodologies and heuristics • Key findings • After three weeks, only 13% revoked and 27% reissued • Security takes the weekends off • Live with Heartbleed for years • Problem: low revocation rates and long expiration dates • Techniques for automate revocation • Set reasonably short certificate expiration dates 20 Summary • First study focus on certificates reissues and revocations • Large-scale measurements • Developed new methodologies and heuristics • Key findings • After three weeks, only 13% revoked and 27% reissued • Security takes the weekends off • Live with Heartbleed for years • Problem: low revocation rates and long expiration dates • Techniques for automate revocation • Set reasonably short certificate expiration dates Questions? securepki.org 20
© Copyright 2026 Paperzz