f2CBVx

ppt.cc/fKlBax ppt.cc/fwlgFx ppt.cc/fVjECx ppt.cc/fEnHsx ppt.cc/fRZTnx ppt.cc/fSZ3cx ppt.cc/fLOuCx ppt.cc/fE9Nux ppt.cc/fL5Kyx ppt.cc/f71Yqx tecmint.com linuxcool.com linux.die.net linux.it.net.cn ostechnix.com unix.com ubuntugeek.com runoob.com man.linuxde.net ppt.cc/fwpCex ppt.cc/fxcLIx ppt.cc/foX6Ux linuxprobe.com linuxtechi.com howtoforge.com linuxstory.org systutorials.com ghacks.net linuxopsys.com ppt.cc/ffAGfx ppt.cc/fJbezx ppt.cc/fNIQDx ppt.cc/fCSllx ppt.cc/fybDVx ppt.cc/fIMQxx

Friday, 8 May 2020

Research on the SSL/TLS Ecosystem

Every day, we use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to secure our Internet transactions such as name resolution (DNS lookup), banking, e-mail and e-commerce. Along with a public key infrastructure (PKI), they allow our computers to automatically verify that our sensitive information (e.g., credit card numbers and passwords) are hidden from eavesdroppers and sent to trustworthy servers.

HeartBleed

In mid-April, 2014, a software vulnerability called Heartbleed was announced. It allows malicious users to capture information that would allow them to masquerade as trusted servers and potentially steal sensitive information from unsuspecting users. The PKI provides multiple ways to prevent such an attack from occurring, and we should expect Web site operators to use these countermeasures.

For more details, please see our projects published at IMC'14 and IMC'15.

Private Key Sharing

We found that the prevalence with which websites trust third-party hosting providers with their secret keys, as well as the impact that this trust has on responsible key management practices, such as revocation. Our results reveal that key sharing is extremely common, with a small handful of hosting providers having keys from the majority of the most popular websites. We also find that hosting providers often manage their customers' keys, and that they tend to react more slowly yet more thoroughly to compromised or potentially compromised keys.

For more details, please see our project published at CCS'16.

Invalid Certificates

SSL and TLS are used to secure the most commonly used Internet protocols. As a result, the ecosystem of SSL certificates has been thoroughly studied, leading to a broad understanding of the strengths and weaknesses of the certificates accepted by most web browsers.
Prior work has naturally focused almost exclusively on "valid" certificates鈥攖hose that standard browsers accept as well-formed and trusted鈥攁nd has largely disregarded certificates that are otherwise "invalid." Surprisingly, however, this leaves the majority of certificates unexamined: we find that, on average, 65% of SSL certificates advertised in each IPv4 scan that we examine are actually invalid.

For more details, please see our project published at IMC'16.

OCSP Measurement

We study whether today's web is ready for OCSP Must-Staple.
Specifically, we measure each of the three major principals-web servers, OCSP responders, and browsers-to ascertain whether they are doing what would be necessary for OCSP Must-Staple to succeed, and what impact their failures would have on website availability.

For more details, please see our project published at IMC'18.

Domain Impersonation

Attackers often trick users with domains that look similar, but aren't identical, to high-value target websites. Legitimate certificates can be obtained for these domains, as an attacker can easily prove ownership of a domain they legitimately own. Why cirvumvent the PKI when you can fool users without having to break the rules?
Using Certificate Transparency (CT) logs, we measure the prevelance of impersonating domains in the PKI.

For more details, please see our project published at CCS'19.

DNSSEC

The Domain Name System (DNS) provides a scalable, flexible name resolution service. Unfortunately, its unauthenticated architecture has proven to be the vector for many security attacks. To address this, DNS Security Extensions (DNSSEC) were introduced in 1997.
At its core, DNSSEC is a hierarchical public key infrastructure (PKI) that largely mirrors the DNS hierarchy and is anchored in the DNS root zone. DNSSEC enables clients (typically DNS resolvers) who support it to authenticate DNS records for domains that also support DNSSEC.

For more details, please see our projects published at SEC'17 and IMC'17.

from https://securepki.org/

-------------------------------

The importance of the web's public key infrastructure (PKI) cannot be overstated: it provides users with the ability to verify with whom they are communicating online, and enables encryption of those communications. While the online use of the PKI is mostly automated, there is a surprising amount of human intervention in management tasks that are crucial to its proper operation.

This project investigates the roles played by all of the PKI's principals: website administrators, browsers, certificate authorities, and content delivery networks (CDNs). Only by understanding the humans in the loop can we hope to truly secure this critical infrastructure.

Key findings:

Website admins don't revoke or reissue their certificates: After the Heartbleed vulnerability, 93% of compromised servers were patched, but only 13% revoked and 27% reissued compromised certificates. IMC'14
No modern web browser fully checks for revocations: No modern mobile browser checks for revocations at all. IMC'15
Key sharing is widespread: The majority of all websites give their private keys to third-party hosting providers like CDNs, cloud providers, or web-hosting services. Amazon alone has 60% of the 1000 most popular websites' private keys. CCS'16
Pushing all revocations to all clients is possible: We have developed a system, CRLite, that drastically reduces the amount of data necessary to represent revocations (less than 1 byte per). S&P'17

from https://www.cs.umd.edu/~dml/projects.html
---------------------------------------

https://www.cs.umd.edu/~dml/papers.html