LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

EFF analyzes SSL certificates and certificate authorities

August 11, 2010

This article was contributed by Nathan Willis

The Electronic Frontier Foundation (EFF) undertook a lengthy study of the web's publicly-visible SSL certificates earlier this year, logging the certificates and analyzing their makeup. EFF's Senior Staff Technologist Peter Eckersley and iSEC Partners' Jesse Burns presented the project at DEFCON 18, paying particular attention to what the data reveals about SSL certificate authorities (CAs), which are the entities that sign SSL certificates and are the basis of the trust that web browsers place on certificates. As one might suspect, there are potential vulnerabilities discovered "in the wild" encompassing everything from cryptographically weak certificates to CAs that employ troublesome signing behavior.

The data

Over a period of three months, the SSL Observatory project collected SSL certificate data from around the Internet. The process began by scanning with Nmap for hosts that were listening on port 443 and logging the results. A Python client then initiated an SSL connection handshake with each host, dropping the connection before the key exchange, but saving the certificate and other data for later analysis.

The certificates then needed to be parsed, which is not a trivial task due to the many quirks, options, extensions, missing fields, and other oddities found in real-world certificates. The certificate data was then stored in a MySQL database, that the team could query to examine particular facets of the certificates or the CAs themselves.

The Observatory collected more than 4.3 million certificates, but for analysis purposes pared the list down to only those certificates that could be verified by a browser as valid (based on CA signature, date, key usage, and other attributes), and removed duplicates. That process left 1,377,067 individual certificates.

The individual certificates were then mined for CA trust attributes. SSL uses the X.509 standard, in which each "leaf" certificate can be authenticated by a signature from a trusted CA. The browser retrieves the CA certificate, verifies that the CA's public key created the signature found on the leaf, and verifies the CA certificate itself by checking its signatures by higher-authority CAs, following such a path all the way back to a "root" CA.

Browsers and operating systems come with a predefined list of trusted root CAs. The DEFCON slides note that Mozilla browsers recognize 124 trust roots, and Microsoft lists 19 in Windows — although the Windows list can be updated, silently, on demand. The reason for the large size discrepancy between the two sets is not explained; Mozilla makes its list public, however, and Microsoft periodically publishes a PDF list of trusted "root certificate program members" on its support site. Combined, those two sources of CA trust construct a graph of 1482 total CAs (including roots and subordinates), which was found by the SSL Observatory data to come from 651 distinct organizations when corporate ownership relationships are accounted for.

Analysis

The invalid certificates are a security problem in their own right (such as phishing sites masquerading as well-known organizations, or using mobile network operators operating WAP gateways with wildcard certificates), but the Observatory project was more interested in exploring the makeup of the valid certificates. The web of trust created by the CA model is taken for granted by most users, and developers, so problems with the valid certificates constitute a potentially more damaging security risk.

The first peculiarity found in the certificate data is that a handful of certificates account for a startlingly high percentage of the Internet's signed leaf certificates. Of the 1,377,067 valid certificates, 300,224 of them were signed by a single CA certificate from web hosting company GoDaddy. Another 244,185 were signed by one certificate from Equifax. 89,216 were signed by a Thawte certificate that lacks a Subject Key Identifier (i.e. SKID, a required element that browsers are supposed to use to match the signing key's ID against the key ID found in the signatures on signed certificates), and 85,440 by a single Comodo certificate. Together, these four CA certificates account for signatures on 52.2% of all valid SSL certificates.

The data also revealed a large number of unused certificates and valid CA certificates that share the same public signing key — situations that may be acceptable, but also entail risks. Unused CA certificates, for example, may be made available as a "safety switch" for the CA, allowing it to revoke a compromised certificate and switch to another one that is already known to the world's browsers. There are also situations where it makes sense for multiple CAs to share the same signing key, such as in the case of corporate mergers or acquisitions, where the CAs become legally one entity but continue to use their original issuer identities in business.

But these situations can also cause trouble for browsers, who should not, for example, retain certificates that are unused because the CA has ceased operations. The DEFCON talk also explains how a CA can use the same signing key to artificially extend the life of a signature by creating a second CA certificate identical to the original, but with a later expiration dates. The data set found 80 distinct keys used in more than one CA certificate.

Practical concerns and vulnerabilities

There are also examples of CAs signing what should not be considered valid certificates, such as RFC1918-reserved IP addresses or unqualified host names. There are, for example, more than 6000 certificates validated by trusted CAs for "localhost."

Other problem areas include countries that do not use their own national CA for signing government web sites, certificates that feature conflicting settings (e.g., a certificate that indicates the subject is not a CA, but whose key advertises that it is a CA), and certificates with weak public keys. The presentation identified at least two trusted leaf certificates that use 508-bit RSA keys, signed by Equifax and Thawte.

A more serious problem is certificates that use keys generated by the vulnerable OpenSSL package included in Debian between 2006 and 2008. SSL Observatory cataloged around 28,000 vulnerable certificates, although only 500 are still valid today. Eckersley said that EFF is working with the sites found to fix the vulnerability before it releases the SSL Observatory data set for public consumption.

Aside from the issue of sites still relying on such vulnerable certificates, however, the analysis also found that some CAs still have not issued revocations of the vulnerable certificates that they themselves signed.

Finally, the Observatory team generated a "CA map" connecting the trust relationships between the various root CAs and the subordinate CAs found in the data set. A PDF version of the map is available on the SSL Observatory site. Analysis of that graph, the team noted, reveals some potential problems, including the large number of subordinate-of-subordinate CAs, and important entities that are subordinate CAs — such as Google and the US Department of Homeland Security. There are only 46 countries that have valid root CAs, and there are some surprising absences, such as the Russian Federation and the United Arab Emirates.

The precise risks of a large or important entity not operating its own trust root are probably open for discussion. Surely in the national governments' cases, though, it is unwise to outsource the government's trust to a private third-party, especially a foreign one. Corporations with only a subordinate CA may be at risk to being "held up" by a company beyond their control.

The future of CA trust

The DEFCON presentation closes by posing questions about the future of CA-based SSL. As the site puts it, "the security of HTTPS is only as strong as the practices of the least trustworthy/competent CA," so perhaps the security model needs to be revised, at least reducing complexity and cost.

The project stops short of endorsing specific reforms, instead saying that it hopes the data it has collected so far will serve as a useful research tool for others, and foster more openness and accountability of CAs. Eckersley said that the full data set will be published on August 23, after the team has completed its work to privately discuss the insecure certificates it uncovered.

Mozilla's Johnathan Nightingale applauds the project on his blog, discussing the considerable effort the browser maker puts into maintaining its trusted root CA list, and hopes that the EFF will continue to collect certificates and update the data set on an ongoing basis.

At the very least, this batch of work serves an important purpose, pulling back the curtain on a security layer the web depends on, but which rarely gets discussed. The concerns raised by the analysis thus far cover a wide range: some, like the 6000 "localhost" certificates, are bright red flags, but others are not so straightforward. Is there an attack vector that exploits the fact that more than 300,000 sites all rely on the same GoDaddy CA certificate? Perhaps not, but the mess that would be created if GoDaddy's signing key were to fall into nefarious hands tonight would be tremendous in scope, causing widespread confusion to the majority of the public when the registrar revokes the key and has to re-sign all of its customers' certificates.

The CA-based SSL certificate system has been the target of usability work at Mozilla for quite some time — such as the introduction of "Larry the Passport Officer" in Firefox 3. But there is still a long way to go before the average user will be well-informed about all of the potential risks. X.509 certificates themselves may be more complicated than the average layperson wants to understand, so high-level analysis like SSL Observatory's helps simply by shedding light on the potential problems.

Comments (2 posted)

Brief items

Security quotes of the week

Q: What could such a worm do on my phone?

A: Anything. It could do anything you can do on your phone, and more. So it could destroy or steal all of your data. Track your location. Spam your friends. Listen to your phone calls. Dial the presidents of every country in the world. Anything. And you would pay for all the charges it would create, too.

-- F-Secure's FAQ on the JailbreakMe iPhone vulnerabilities

It's also clear that users should have different rights with respect to each data type. We should be allowed to export, change, and delete disclosed data, even if the social networking sites don't want us to. It's less clear what rights we have for entrusted data -- and far less clear for incidental data. If you post pictures from a party with me in them, can I demand you remove those pictures -- or at least blur out my face?
-- Bruce Schneier in "A Revised Taxonomy of Social Networking Data"

Comments (3 posted)

The EFF SSL Observatory

The EFF has put up a new page for a project which it calls the SSL observatory. They have spent months collecting information about SSL certificates across the net; as one might expect, they have found some interesting things. Those results are really only available as a set of slides [PDF] for now, but it's worth a look. It seems there are over 6,000 valid certificates out there for "localhost"...

Comments (11 posted)

Weekend Project: Secure Instant Messaging with Off The Record (Linux.com)

Linux.com has an article by Nathan Willis about Off The Record (OTR). "Instant messaging, just like email or VoIP traffic, needs to be secure from eavesdroppers, man-in-the-middle attackers, and other security threats. Many IM clients can tunnel messages over transport layer security (TLS) to provide encryption, including XMPP (a.k.a. Jabber), IRC, and the OSCAR protocol used by AIM. TLS provides authentication and encryption at a low level, but a considerably secure solution for IM is a protocol called Off The Record (OTR). Pull up a chair and secure your instant messaging today."

Comments (none posted)

New vulnerabilities

base-files: arbitrary code execution

Package(s):base-files CVE #(s):CVE-2010-0834
Created:August 6, 2010 Updated:August 11, 2010
Description: From the Ubuntu advisory:

It was discovered that the Ubuntu image shipped on some Dell Latitude 2110 systems was accidentally configured to allow unauthenticated package installations. A remote attacker intercepting network communications or a malicious archive mirror server could exploit this to trick the user into installing unsigned packages, resulting in arbitrary code execution with root privileges.

Alerts:
Ubuntu USN-968-1 2010-08-05

Comments (none posted)

dbus-glib: denial of service

Package(s):dbus-glib CVE #(s):CVE-2010-1172
Created:August 11, 2010 Updated:May 27, 2011
Description: From the Red Hat advisory:

It was discovered that dbus-glib did not enforce the "access" flag on exported GObject properties. If such a property were read/write internally but specified as read-only externally, a malicious, local user could use this flaw to modify that property of an application. Such a change could impact the application's behavior (for example, if an IP address were changed the network may not come up properly after reboot) and possibly lead to a denial of service.

Alerts:
Ubuntu USN-1138-2 2011-05-27
Ubuntu USN-1138-1 2011-05-26
SUSE SUSE-SR:2011:007 2011-04-19
openSUSE openSUSE-SU-2011:0300-2 2011-04-08
openSUSE openSUSE-SU-2011:0300-1 2011-04-06
MeeGo MeeGo-SA-10:32 2010-10-09
SUSE SUSE-SR:2010:022 2010-11-30
openSUSE openSUSE-SU-2010:0969-1 2010-11-23
openSUSE openSUSE-SU-2010:0968-1 2010-11-23
SUSE SUSE-SR:2010:020 2010-11-03
Fedora FEDORA-2010-12911 2010-08-17
Fedora FEDORA-2010-12911 2010-08-17
Fedora FEDORA-2010-12911 2010-08-17
Fedora FEDORA-2010-12863 2010-08-17
Fedora FEDORA-2010-12911 2010-08-17
Fedora FEDORA-2010-12863 2010-08-17
CentOS CESA-2010:0616 2010-08-11
CentOS CESA-2010:0616 2010-08-11
Red Hat RHSA-2010:0616-01 2010-08-10
SUSE SUSE-SR:2010:019 2010-10-25

Comments (none posted)

freetype: arbitrary code execution

Package(s):freetype CVE #(s):CVE-2010-1797
Created:August 6, 2010 Updated:October 21, 2010
Description: From the Red Hat advisory:

Two stack overflow flaws were found in the way the FreeType font engine processed certain Compact Font Format (CFF) character strings (opcodes). If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.

Alerts:
Debian DSA-2105-1 2010-09-07
SUSE SUSE-SR:2010:016 2010-08-26
openSUSE openSUSE-SU-2010:0549-1 2010-08-25
Fedora FEDORA-2010-15705 2010-10-05
Ubuntu USN-972-1 2010-08-17
CentOS CESA-2010:0607 2010-08-16
Pardus 2010-114 2010-08-12
Mandriva MDVSA-2010:149 2010-08-12
CentOS CESA-2010:0607 2010-08-06
Red Hat RHSA-2010:0607-02 2010-08-05
Mandriva MDVSA-2010:201 2010-10-13
Gentoo 201201-09 2012-01-23
SUSE SUSE-SU-2012:0553-1 2012-04-23

Comments (none posted)

git: arbitrary code execution

Package(s):git CVE #(s):CVE-2010-2542
Created:August 9, 2010 Updated:February 22, 2011
Description: From the Pardus advisory:

An exploitable buffer overrun was fixed in git. In particular, if an attacker were to create a crafted working copy where the user runs any git command, the attacker could force execution of arbitrary code.

Alerts:
SUSE SUSE-SR:2011:004 2011-02-22
openSUSE openSUSE-SU-2011:0115-1 2011-02-16
MeeGo MeeGo-SA-10:26 2010-09-03
Debian DSA-2114-1 2010-09-26
Fedora FEDORA-2010-15534 2010-09-30
Mandriva MDVSA-2010:194 2010-10-03
Pardus 2010-103 2010-08-09
Fedora FEDORA-2010-15501 2010-09-30

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2008-7256 CVE-2010-1436 CVE-2010-1643 CVE-2010-2492
Created:August 5, 2010 Updated:January 21, 2011
Description: From the Ubuntu advisory:

Junjiro R. Okajima discovered that knfsd did not correctly handle strict overcommit. A local attacker could exploit this to crash knfsd, leading to a denial of service. (Only Ubuntu 6.06 LTS and 8.04 LTS were affected.) (CVE-2008-7256, CVE-2010-1643)

Mario Mikocevic discovered that GFS2 did not correctly handle certain quota structures. A local attacker could exploit this to crash the system, leading to a denial of service. (Ubuntu 6.06 LTS was not affected.) (CVE-2010-1436)

Andre Osterhues discovered that eCryptfs did not correctly calculate hash values. A local attacker with certain uids could exploit this to crash the system or potentially gain root privileges. (Ubuntu 6.06 LTS was not affected.) (CVE-2010-2492)

Alerts:
Red Hat RHSA-2011:0007-01 2011-01-11
MeeGo MeeGo-SA-10:38 2010-10-09
openSUSE openSUSE-SU-2010:0664-1 2010-09-23
Mandriva MDVSA-2010:188 2010-09-23
Debian DSA-2110-1 2010-09-17
Mandriva MDVSA-2010:172 2010-09-09
Mandriva MDVSA-2010:198 2010-10-07
Red Hat RHSA-2010:0631-01 2010-08-17
Ubuntu USN-966-1 2010-08-04
CentOS CESA-2010:0723 2010-09-30
Red Hat RHSA-2010:0723-01 2010-09-29

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2010-2248 CVE-2010-2521
Created:August 6, 2010 Updated:March 21, 2011
Description: From the Red Hat advisory:

* a flaw was found in the CIFSSMBWrite() function in the Linux kernel Common Internet File System (CIFS) implementation. A remote attacker could send a specially-crafted SMB response packet to a target CIFS client, resulting in a kernel panic (denial of service). (CVE-2010-2248, Important)

* buffer overflow flaws were found in the Linux kernel's implementation of the server-side External Data Representation (XDR) for the Network File System (NFS) version 4. An attacker on the local network could send a specially-crafted large compound request to the NFSv4 server, which could possibly result in a kernel panic (denial of service) or, potentially, code execution. (CVE-2010-2521, Important)

Alerts:
Mandriva MDVSA-2011:051 2011-03-18
Ubuntu USN-1083-1 2011-03-03
Ubuntu USN-1074-2 2011-02-28
Ubuntu USN-1074-1 2011-02-25
SUSE SUSE-SA:2010:060 2010-12-14
Red Hat RHSA-2010:0907-01 2010-11-23
Red Hat RHSA-2010:0893-01 2010-11-16
openSUSE openSUSE-SU-2010:0664-1 2010-09-23
Mandriva MDVSA-2010:188 2010-09-23
SUSE SUSE-SA:2010:040 2010-09-13
SUSE SUSE-SA:2010:038 2010-09-03
SUSE SUSE-SA:2010:036 2010-09-01
CentOS CESA-2010:0606 2010-08-27
Ubuntu USN-1000-1 2010-10-19
Mandriva MDVSA-2010:198 2010-10-07
Debian DSA-2094-1 2010-08-19
Red Hat RHSA-2010:0631-01 2010-08-17
Pardus 2010-112 2010-08-12
CentOS CESA-2010:0610 2010-08-11
Red Hat RHSA-2010:0610-01 2010-08-10
Red Hat RHSA-2010:0606-01 2010-08-05

Comments (none posted)

openconnect: man-in-the-middle attack

Package(s):openconnect CVE #(s):
Created:August 11, 2010 Updated:August 11, 2010
Description: From the Fedora advisory:

This update enables validation of the VPN server's SSL certificate by default, to defend against a potential man-in-the-middle attack.

Alerts:
Fedora FEDORA-2010-12253 2010-08-07
Fedora FEDORA-2010-12257 2010-08-07

Comments (none posted)

php5: denial of service

Package(s):php5 CVE #(s):CVE-2010-1917
Created:August 6, 2010 Updated:December 2, 2010
Description: From the Debian advisory:

The fnmatch function can be abused to conduct denial of service attacks (by crashing the interpreter) by the means of a stack overflow.

Alerts:
Gentoo 201110-06 2011-10-10
CentOS CESA-2010:0919 2010-12-01
CentOS CESA-2010:0919 2010-11-30
Red Hat RHSA-2010:0919-01 2010-11-29
SUSE SUSE-SR:2010:017 2010-09-21
Ubuntu USN-989-1 2010-09-20
openSUSE openSUSE-SU-2010:0599-1 2010-09-10
Slackware SSA:2010-240-04 2010-08-30
Fedora FEDORA-2010-11428 2010-07-27
Fedora FEDORA-2010-11481 2010-07-27
Fedora FEDORA-2010-11428 2010-07-27
Fedora FEDORA-2010-11481 2010-07-27
Fedora FEDORA-2010-11428 2010-07-27
Fedora FEDORA-2010-11481 2010-07-27
Debian DSA-2089-1 2010-08-06
openSUSE openSUSE-SU-2010:0678-1 2010-09-29
SUSE SUSE-SR:2010:018 2010-10-06

Comments (none posted)

socat: arbitrary code execution

Package(s):socat CVE #(s):CVE-2010-2799
Created:August 9, 2010 Updated:March 7, 2011
Description: From the Debian advisory:

A stack overflow vulnerability was found in socat that allows an attacker to execute arbitrary code with the privileges of the socat process.

Alerts:
Fedora FEDORA-2011-0098 2011-01-04
Mandriva MDVSA-2010:183 2010-09-15
Fedora FEDORA-2010-13403 2010-08-24
Fedora FEDORA-2010-13412 2010-08-24
Debian DSA-2090-1 2010-08-06

Comments (none posted)

strongswan: code execution

Package(s):strongswan CVE #(s):CVE-2010-2628
Created:August 10, 2010 Updated:August 17, 2010
Description: From the openSUSE advisory:

Remote unauthenticated attackers could cause a buffer overflow in strongswan's IKE deamon by using specially crafted certificates or identify information. Attackers could potentially exploit that to execute code.

Alerts:
SUSE SUSE-SR:2010:015 2010-08-17
openSUSE openSUSE-SU-2010:0496-1 2010-08-10

Comments (none posted)

wget: code execution

Package(s):wget CVE #(s):CVE-2010-2252
Created:August 5, 2010 Updated:October 14, 2011
Description: From the Debian advisory:

It was discovered that wget, a command line tool for downloading files from the WWW, uses server-provided file names when creating local files. This may lead to code execution in some scenarios.

Alerts:
Gentoo 201110-10 2011-10-13
Pardus 2011-29 2011-02-12
MeeGo MeeGo-SA-10:36 2010-11-03
Mandriva MDVSA-2010:170 2010-09-02
Ubuntu USN-982-1 2010-09-02
Debian DSA-2088-1 2010-08-05

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds