research-article

Public Access

Analysis of SSL certificate reissues and revocations in the wake of heartbleed

Authors:

David Choffnes,

Tudor Dumitraş,

Aaron Schulman,

Christo WilsonAuthors Info & Claims

Communications of the ACM, Volume 61, Issue 3

Pages 109 - 116

https://doi.org/10.1145/3176244

Published: 21 February 2018 Publication History

All formats PDF

Abstract

A properly managed public key infrastructure (PKI) is critical to ensure secure communication on the Internet. Surprisingly, some of the most important administrative steps---in particular, reissuing new X.509 certificates and revoking old ones---are manual and remained unstudied, largely because it is difficult to measure these manual processes at scale.

We use Heartbleed, a widespread OpenSSL vulnerability from 2014, as a natural experiment to determine whether administrators are properly managing their certificates. All domains affected by Heartbleed should have patched their software, revoked their old (possibly compromised) certificates, and reissued new ones, all as quickly as possible. We find the reality to be far from the ideal: over 73% of vulnerable certificates were not reissued and over 87% were not revoked three weeks after Heartbleed was disclosed. Our results also show a drastic decline in revocations on the weekends, even immediately following the Heartbleed announcement. These results are an important step in understanding the manual processes on which users rely for secure, authenticated communication.

References

[1]

Alexa Top 1 Million Domains. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.

[2]

Botan SSL Library. http://botan.randombit.net.

[3]

CERT Vulnerability Note VU#720951: OpenSSL TLS heartbeat extension read overflow discloses sensitive information. http://www.kb.cert.org/vuls/id/720951.

[4]

Chung, T., Liu, Y., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Wilson, C. Measuring and applying invalid SSL certificates: The silent majority. In ACM Internet Measurement Conference (IMC) (2016).

Digital Library

[5]

Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A. Analysis of the HTTPS certificate ecosystem. In ACM Internet Measurement Conference (IMC) (2013).

Digital Library

[6]

Durumeric, Z., Kasten, J., Li, F., Amann, J., Beekman, J., Payer, M., Weaver, N., Halderman, J.A., Paxson, V., Bailey, M. The matter of Heartbleed. In ACM Internet Measurement Conference (IMC) (2014).

Digital Library

[7]

Eastlake, D III. Transport Layer Security (TLS) Extensions: Extension Definitions, Jan. 2011. IETF RFC-6066.

[8]

Grubb, B. Heartbleed disclosure timeline: who knew what and when, 2014. http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html.

[9]

Holz, R., Braun, L., Kammenhuber, N., Carle, G. The SSL landscape -- A thorough analysis of the X.509 PKI using active and passive measurements. In ACM Internet Measurement Conference (IMC) (2011).

Digital Library

[10]

Huang, L.S., Rice, A., Ellingsen, E., Jackson, C. Analyzing forged SSL certificates in the wild. In IEEE Symposium on Security and Privacy (S&P) (2014).

Digital Library

[11]

Liu, Y., Tome, W., Zhang, L., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Schulman, A., Wilson, C. An end-to-end measurement of certificate revocation in the web's PKI. In ACM Internet Measurement Conference (IMC) (2015).

Digital Library

[12]

Mac OS X 10.9.2 Root Certificates. http://support.apple.com/kb/HT6005.

[13]

Mutton, P. Half a million widely trusted websites vulnerable to heartbleed bug, 2014. http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html.

[14]

Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitras, T. The attack of the clones: A study of the impact of shared code on vulnerability patching. In IEEE Symposium on Security and Privacy (S&P) (2015).

Digital Library

[15]

OpenSSL Project. https://www.openssl.org.

[16]

Rapid7 SSL Certificate Scans. https://scans.io/study/sonar.ssl.

[17]

Seggelmann, R., Tuexen, M., Williams, M. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension, Feb. 2012. IETF RFC-6520.

[18]

Sullivan, N. The Heartbleed Aftermath: all CloudFlare certificates revoked and reissued, 2014. http://blog.cloudflare.com/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued.

[19]

Sullivan, N. The Results of the CloudFlare Challenge, 2014. http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge.

[20]

The GnuTLS Transport Layer Security Library. http://www.gnutls.org.

[21]

Topalovic, E., Saeta, B., Huang, L.-S., Jackson, C., Boneh, D. Toward shortlived certificates. In Web 2.0 Security & Privacy (W2SP) (2012).

[22]

Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In ACM Internet Measurement Conference (IMC) (2009).

Digital Library

Cited By

Sosnowski MZirngibl JSattler PAulbach JLang JCarle G(2024)An Internet-Wide View on HTTPS Certificate Revocations: Observing the Revival of CRLs via Active TLS Scans2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00038(297-306)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00038
Cerenius DKaller MBruhner CArlitt MCarlsson N(2024)Trust Issue(r)s: Certificate Revocation and Replacement Practices in the WildPassive and Active Measurement10.1007/978-3-031-56252-5_14(293-321)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56252-5_14
Zhang ZZhang HWang JHu XLi JYu WYu PLi WCui BZhu GSood KWill BGuan H(2023)QKPT: Securing Your Private Keys in Cloud With Performance, Scalability and TransparencyIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313740320:1(478-491)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3137403
Show More Cited By

Index Terms

Analysis of SSL certificate reissues and revocations in the wake of heartbleed
1. Networks
  1. Network protocols
  2. Network services

Recommendations

Analysis of SSL certificate reissues and revocations in the wake of heartbleed
IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Central to the secure operation of a public key infrastructure (PKI) is the ability to revoke certificates. While much of users' security rests on this process taking place quickly, in practice, revocation typically requires a human to decide to reissue ...
Securing SSL Certificate Verification through Dynamic Linking
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Recent discoveries of widespread vulnerabilities in the SSL/TLS protocol stack, particular with regard to the verification of server certificates, has left the security of the Internet's communications in doubt. Newly proposed SSL trust enhancements ...
Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations
SP '14: Proceedings of the 2014 IEEE Symposium on Security and Privacy

Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Communications of the ACM

Communications of the ACM Volume 61, Issue 3

March 2018

107 pages

ISSN:0001-0782

EISSN:1557-7317

DOI:10.1145/3190347

Editor:
Andrew A. Chien
Association for Computing Machinery, New York, NY

Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 February 2018

Published in CACM Volume 61, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed

Funding Sources

NSF

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
26,126
Total Downloads

Downloads (Last 12 months)466
Downloads (Last 6 weeks)52

Reflects downloads up to 15 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sosnowski MZirngibl JSattler PAulbach JLang JCarle G(2024)An Internet-Wide View on HTTPS Certificate Revocations: Observing the Revival of CRLs via Active TLS Scans2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00038(297-306)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00038
Cerenius DKaller MBruhner CArlitt MCarlsson N(2024)Trust Issue(r)s: Certificate Revocation and Replacement Practices in the WildPassive and Active Measurement10.1007/978-3-031-56252-5_14(293-321)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56252-5_14
Zhang ZZhang HWang JHu XLi JYu WYu PLi WCui BZhu GSood KWill BGuan H(2023)QKPT: Securing Your Private Keys in Cloud With Performance, Scalability and TransparencyIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.313740320:1(478-491)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TDSC.2021.3137403
Alkinoon MAlabduljabbar AAlthebeiti HJang RNyang DMohaisen D(2023)Understanding the Security and Performance of the Web Presence of Hospitals: A Measurement Study2023 32nd International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN58024.2023.10230186(1-10)Online publication date: Jul-2023
https://doi.org/10.1109/ICCCN58024.2023.10230186
Rahoof PNair LThafasal Ijyas V(2022)A Secure Two-Tier Domain Verification and Certificate Validation Integrating Intermediate Certificate Authorities and Secure Certificate BoxJournal of Circuits, Systems and Computers10.1142/S021812662350103732:06Online publication date: 14-Nov-2022
https://doi.org/10.1142/S0218126623501037
Krupp BMatthews MHadden J(2021)An Analysis of Strengths and Weaknesses of TLS Utilization in iOS Applications2021 17th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob)10.1109/WiMob52687.2021.9606413(68-73)Online publication date: 11-Oct-2021
https://doi.org/10.1109/WiMob52687.2021.9606413
Hu XLi JWei CLi WZeng XYu PGuan H(2021)STYX: A Hierarchical Key Management System for Elastic Content Delivery Networks on Public CloudsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.291827818:2(843-857)Online publication date: 1-Mar-2021
https://doi.org/10.1109/TDSC.2019.2918278
Omolola ORoberts RAshiq MChung TLevin DMislove A(2021)Measurement and Analysis of Automated Certificate ReissuancePassive and Active Measurement10.1007/978-3-030-72582-2_10(161-174)Online publication date: 30-Mar-2021
https://doi.org/10.1007/978-3-030-72582-2_10
Rizvi SKurtz AWilliams IGualdoni JMyzyri IWheeler M(2020)Protecting financial transactions through networks and point of salesJournal of Cyber Security Technology10.1080/23742917.2020.17964744:4(211-239)Online publication date: 29-Jul-2020
https://doi.org/10.1080/23742917.2020.1796474
Chung TLok JChandrasekaran BChoffnes DLevin DMaggs BMislove ARula JSullivan NWilson C(2018)Is the Web Ready for OCSP Must-Staple?Proceedings of the Internet Measurement Conference 201810.1145/3278532.3278543(105-118)Online publication date: 31-Oct-2018
https://dl.acm.org/doi/10.1145/3278532.3278543

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View Issue’s Table of Contents