Mitigating the Security Risks of seclab Domain-Validated ......Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certiﬁcates (NDSS 2018) • HTTP, simple

seclabTHE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

Kevin BorgolteTobias Fiebig Shuang Hao Christopher Kruegel Giovanni Vigna

24th Network and Distributed Systems Security Symposium (NDSS 2018)

CLOUD STRIFE Mitigating the Security Risks of Domain-Validated Certificates

[email protected] [email protected] [email protected] [email protected] [email protected]

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (NDSS 2018) 3

STALE DNS RECORDS AND IP ADDRESS RE-USE

cloudstrife.seclab.cs.ucsb.edu




34.215.255.68




34.215.255.68

• How to migrate DNS gracefully?




34.215.255.68

• How to migrate DNS gracefully?• When to release 34.215.255.68? TTL? Longer?




34.215.255.68

• How to migrate DNS gracefully?• When to release 34.215.255.68? TTL? Longer?• What about failure and automatic scaling?


DOMAIN-VALIDATED CERTIFICATES

• Standard TLS certificate • Trusted by major browsers and operating systems • Credited for the rise in HTTPS adoption • Cheap or free • No identity verification

via https://nettrack.info/ssl_certificate_issuers.html

Let’s Encrypt

Comodo

GeoTrust

Top SSL Issuers

Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates (NDSS 2018)

Client

5

HTTP-BASED DOMAIN-VALIDATION


Client ACMECA

1 Request certificate

5



Client ACMECA


2 Respond with challenge

5



Client ACMECA


2 Respond with challenge3 Host challenge

at http://example.com

example.comWebserver

5



Client ACMECA



4 Verify challenge3 Host challenge



5



Client ACMECA



4 Verify challenge3 Host challenge



5


If you control the host behind the domain,then you can prove domain ownership successfully.


• Trusted TLS certificates (MitM) • Malicious and remote code loading • Subdomain attacks • Email (no MX = A record) • Spam & phishing (residual trust)

6

IMPACT?


SCALE?• How many active domains point to free IPs?


ap-northeast-1

ap-northeast-2

ap-south-1

ap-southeast-1

ap-southeast-2

ca-central-1

eu-central-1

eu-west-1

eu-west-2

sa-east-1

us-east-1

us-east-2

us-west-1

us-west-2

Availability Zone

10sec

1min

1hour

1day

1week2weeks

Tim

eB

etw

een

Reo

ccur

ence

(Sec

onds

) log

7

SCALE?

• Looking at cloud IP address (AWS, Azure) • 1.6 million unique IPs, 14 million allocations • 130 million unique domains

• How many active domains point to free IPs?


ap-northeast-1

ap-northeast-2

ap-south-1

ap-southeast-1

ap-southeast-2

ca-central-1

eu-central-1

eu-west-1

eu-west-2

sa-east-1

us-east-1

us-east-2

us-west-1

us-west-2

Availability Zone

10sec

1min

1hour

1day

1week2weeks

Tim

eB

etw

een

Reo

ccur

ence

(Sec

onds

) log

7

SCALE?

• Looking at cloud IP address (AWS, Azure) • 1.6 million unique IPs, 14 million allocations • 130 million unique domains

• How many active domains point to free IPs?

• >700,000 domains can be taken over within minutes by attacker


CLOUD STRIFE

• Assume takeovers can or will happen in the future • Major changes to DNS or deployment impractical • Aim to prevent attacks higher up


CLOUD STRIFE

• Assume takeovers can or will happen in the future • Major changes to DNS or deployment impractical • Aim to prevent attacks higher up

• Focus on TLS services • Leverage existing standards when possible


• HTTP, simple idea: • HTTPS with trusted certificates • HTTP Strict Transport Security • HTTP Public Key Pinning

9

MITIGATING TAKEOVER ATTACKS



9


Takeover attacks now require pinned certificate.Reduces takeover attacks to denial of service attacks



9



Doesn’t work for SMTP etc. though


• HTTP, simple idea: • HTTPS with trusted certificates domain-validated certificates • HTTP Strict Transport Security • HTTP Public Key Pinning to be deprecated in Chrome 67

9



Doesn’t work for SMTP etc. though


• HTTP, better idea: • HTTPS with trusted certificates • Prevent certificate issuance via HTTP-based domain-validation for

domains (likely) taken over • HTTP Strict Transport Security

10





10


No trusted certificate = also works for SMTP etc.




10


How do you prevent certificate issuance?

No trusted certificate = also works for SMTP etc.


CERTIFICATE TRANSPARENCY LOGS

• Public append-only log for issued certificates • Monitor for suspicious certificates • Real-time(ish) audit trail




In itself: • Reactive: attacker’s window of opportunity remains • Must be actively monitored (by domain owners)




In itself: • Reactive: attacker’s window of opportunity remains • Must be actively monitored (by domain owners)

Can be used for historic lookups


Client

12

PREVENTIVE HTTP-BASED DOMAIN-VALIDATION


Client ACMECA


12



Client ACMECA


CTLogs

2 Check for existingcertificates

12



Client ACMECA


3 Respond with challengeCT

Logs


12



Client ACMECA



Logs4 Host challenge

at https://example.com



12



Client ACMECA



Logs

5Verify challenge and

existing certificate4 Host challenge




12



Client ACMECA



Logs

5Verify challenge and

existing certificate4 Host challenge




12


If an old certificate was found, require it to be current HTTPS certificate.

1

2


CLOUD STRIFE

• Prevents TLS certificates to be issued for takeovers • No certificate = takeover attacks less useful (= DoS) • Drawbacks for users only for disaster recovery

• Re-bootstrap chain of trust • ACMEv2 challenge RFC being drafted

[email protected] https://kevin.borgolte.me

twitter: @caovc

Thank you!

Questions?

seclabTHE COMPUTER SECURITY GROUP AT UC SANTA BARBARA

I am looking for a faculty position!

mailto:[email protected]

http://kevin.borgolte.me

http://twitter.com/caovc

Documents

Mitigating the Security Risks of seclab Domain-Validated ......Kevin Borgolte Cloud Strife: Mitigating the Security Risks of Domain-Validated Certiﬁcates (NDSS 2018) • HTTP, simple