skip to main content
research-article
Public Access

Analysis of SSL certificate reissues and revocations in the wake of heartbleed

Published:21 February 2018Publication History
Skip Abstract Section

Abstract

A properly managed public key infrastructure (PKI) is critical to ensure secure communication on the Internet. Surprisingly, some of the most important administrative steps---in particular, reissuing new X.509 certificates and revoking old ones---are manual and remained unstudied, largely because it is difficult to measure these manual processes at scale.

We use Heartbleed, a widespread OpenSSL vulnerability from 2014, as a natural experiment to determine whether administrators are properly managing their certificates. All domains affected by Heartbleed should have patched their software, revoked their old (possibly compromised) certificates, and reissued new ones, all as quickly as possible. We find the reality to be far from the ideal: over 73% of vulnerable certificates were not reissued and over 87% were not revoked three weeks after Heartbleed was disclosed. Our results also show a drastic decline in revocations on the weekends, even immediately following the Heartbleed announcement. These results are an important step in understanding the manual processes on which users rely for secure, authenticated communication.

References

  1. Alexa Top 1 Million Domains. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.Google ScholarGoogle Scholar
  2. Botan SSL Library. http://botan.randombit.net.Google ScholarGoogle Scholar
  3. CERT Vulnerability Note VU#720951: OpenSSL TLS heartbeat extension read overflow discloses sensitive information. http://www.kb.cert.org/vuls/id/720951.Google ScholarGoogle Scholar
  4. Chung, T., Liu, Y., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Wilson, C. Measuring and applying invalid SSL certificates: The silent majority. In ACM Internet Measurement Conference (IMC) (2016). Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A. Analysis of the HTTPS certificate ecosystem. In ACM Internet Measurement Conference (IMC) (2013). Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Durumeric, Z., Kasten, J., Li, F., Amann, J., Beekman, J., Payer, M., Weaver, N., Halderman, J.A., Paxson, V., Bailey, M. The matter of Heartbleed. In ACM Internet Measurement Conference (IMC) (2014). Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Eastlake, D III. Transport Layer Security (TLS) Extensions: Extension Definitions, Jan. 2011. IETF RFC-6066.Google ScholarGoogle Scholar
  8. Grubb, B. Heartbleed disclosure timeline: who knew what and when, 2014. http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html.Google ScholarGoogle Scholar
  9. Holz, R., Braun, L., Kammenhuber, N., Carle, G. The SSL landscape -- A thorough analysis of the X.509 PKI using active and passive measurements. In ACM Internet Measurement Conference (IMC) (2011). Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Huang, L.S., Rice, A., Ellingsen, E., Jackson, C. Analyzing forged SSL certificates in the wild. In IEEE Symposium on Security and Privacy (S&P) (2014). Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Liu, Y., Tome, W., Zhang, L., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Schulman, A., Wilson, C. An end-to-end measurement of certificate revocation in the web's PKI. In ACM Internet Measurement Conference (IMC) (2015). Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Mac OS X 10.9.2 Root Certificates. http://support.apple.com/kb/HT6005.Google ScholarGoogle Scholar
  13. Mutton, P. Half a million widely trusted websites vulnerable to heartbleed bug, 2014. http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html.Google ScholarGoogle Scholar
  14. Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitras, T. The attack of the clones: A study of the impact of shared code on vulnerability patching. In IEEE Symposium on Security and Privacy (S&P) (2015). Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. OpenSSL Project. https://www.openssl.org.Google ScholarGoogle Scholar
  16. Rapid7 SSL Certificate Scans. https://scans.io/study/sonar.ssl.Google ScholarGoogle Scholar
  17. Seggelmann, R., Tuexen, M., Williams, M. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension, Feb. 2012. IETF RFC-6520.Google ScholarGoogle Scholar
  18. Sullivan, N. The Heartbleed Aftermath: all CloudFlare certificates revoked and reissued, 2014. http://blog.cloudflare.com/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued.Google ScholarGoogle Scholar
  19. Sullivan, N. The Results of the CloudFlare Challenge, 2014. http://blog.cloudflare.com/the-results-of-the-cloudflare-challenge.Google ScholarGoogle Scholar
  20. The GnuTLS Transport Layer Security Library. http://www.gnutls.org.Google ScholarGoogle Scholar
  21. Topalovic, E., Saeta, B., Huang, L.-S., Jackson, C., Boneh, D. Toward shortlived certificates. In Web 2.0 Security & Privacy (W2SP) (2012).Google ScholarGoogle Scholar
  22. Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In ACM Internet Measurement Conference (IMC) (2009). Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Analysis of SSL certificate reissues and revocations in the wake of heartbleed

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image Communications of the ACM
        Communications of the ACM  Volume 61, Issue 3
        March 2018
        107 pages
        ISSN:0001-0782
        EISSN:1557-7317
        DOI:10.1145/3190347
        Issue’s Table of Contents

        Copyright © 2018 ACM

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 21 February 2018

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format