research-article

Is the Web Ready for OCSP Must-Staple?

Authors:

Taejoong Chung,

Balakrishnan Chandrasekaran,

David Choffnes,

Bruce M. Maggs,

Nick Sullivan, and

Christo WilsonAuthors Info & Claims

IMC '18: Proceedings of the Internet Measurement Conference 2018

October 2018

Pages 105 - 118

https://doi.org/10.1145/3278532.3278543

Published: 31 October 2018 Publication History

Abstract

TLS, the de facto standard protocol for securing communications over the Internet, relies on a hierarchy of certificates that bind names to public keys. Naturally, ensuring that the communicating parties are using only valid certificates is a necessary first step in order to benefit from the security of TLS. To this end, most certificates and clients support OCSP, a protocol for querying a certificate's revocation status and confirming that it is still valid. Unfortunately, however, OCSP has been criticized for its slow performance, unreliability, soft-failures, and privacy issues. To address these issues, the OCSP Must-Staple certificate extension was introduced, which requires web servers to provide OCSP responses to clients during the TLS handshake, making revocation checks low-cost for clients. Whether all of the players in the web's PKI are ready to support OCSP Must-Staple, however, remains still an open question.

In this paper, we take a broad look at the web's PKI and determine if all components involved---namely, certificate authorities, web server administrators, and web browsers---are ready to support OCSP Must-Staple. We find that each component does not yet fully support OCSP Must-Staple: OCSP responders are still not fully reliable, and most major web browsers and web server implementations do not fully support OCSP Must-Staple. On the bright side, only a few players need to take action to make it possible for web server administrators to begin relying on certificates with OCSP Must-Staple. Thus, we believe a much wider deployment of OCSP Must-Staple is an realistic and achievable goal.

References

[1]

D. E. 3rd. Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066, IETF, 2011.

[2]

C. Arthur. DigiNotar SSL certificate hack amounts to cyberwar, says expert. The Guardian. http://www.theguardian.com/technology/2011/sep/05/diginotar-certificate-hack-cyberwar.

[3]

J. Amann, O. Gasser, Q. Scheitle, L. Brent, G. Carle, and R. Holz. Mission Accomplished? HTTPS Security after DigiNotar. IMC, 2017.

Digital Library

[4]

Alexa Top Global Sites. http://www.alexa.com/topsites.

[5]

D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, IETF, 2008. http://www.ietf.org/rfc/rfc5280.txt.

[6]

F. Cangialosi, T. Chung, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem. CCS, 2016.

Digital Library

[7]

T. Chung, Y. Liu, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. Measuring and Applying Invalid SSL Certificates: The Silent Majority. IMC, 2016.

Digital Library

[8]

O. Dubuisson. ASN.1 communication between heterogeneous systems. Morgan Kaufmann, 2001.

Digital Library

[9]

Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman. Censys: A Search Engine Backed by Internet-Wide Scanning. CCS, 2015.

Digital Library

[10]

Z. Durumeric, J. Kasten, D. Adrian, J. A. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, and V. Paxson. The Matter of Heartbleed. IMC, 2014.

Digital Library

[11]

Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman. Analysis of the HTTPS Certificate Ecosystem. IMC, 2013.

Digital Library

[12]

Fetch OCSP responses on startup, and store across restarts. https://trac. nginx. org/nginx/ticket/812.

[13]

N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. USENIX Security, 2012.

Digital Library

[14]

P. Hallam-Baker. X.509v3 Transport Layer Security (TLS) Feature Extension. RFC 7633, IETF, 2015.

[15]

D. Kumar, Z. Wang, M. Hyder, J. Dickinson, G. Beck, D. Adrian, J. Mason, Z. Durumeric, J. A. Halderman, and M. Bailey. Tracking Certificate Misissuance in the Wild. IEEE S&P, 2018.

[16]

J. Kubiatowicz. OceanStore: an architecture for global-scale persistent storage. ASPLOS, 2000.

Digital Library

[17]

A. Langley. Revocation checking and Chrome's CRL. 2012. https://www.imperialviolet.org/2012/02/05/crlsets.html.

[18]

A. Langley. No, don't enable revocation checking. 2014. https://www.imperialviolet.org/2014/04/19/revchecking.html.

[19]

B. Laurie, A. Langley, and E. Kasper. Certificate Transparency. RFC 6962, IETF, 2013. http://www.ietf.org/rfc/rfc6962.txt.

[20]

J. Larisch, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, and C. Wilson. CRLite: a Scalable System for Pushing all TLS Revocations to Browsers. IEEE S&P, 2017.

[21]

Y. Liu, H. H. Song, I. Bermudez, A. Mislove, M. Baldi, and A. Tongaonkar. Identifying Personal Information in Internet Traffic. COSN, 2015.

Digital Library

[22]

Y. Liu, W. Tome, L. Zhang, D. Choffnes, D. Levin, B. M. Maggs, A. Mislove, A. Schulman, and C. Wilson. An End-to-End Measurement of Certificate Revocation in the Web's PKI. IMC, 2015.

Digital Library

[23]

Let's Encrypt. https://github.com/certbot/certbot/pull/2667.

[24]

S. Matsumoto, P. Szalachowski, and A. Perrig. Deployment Challenges in Log-based PKI Enhancements. EuroSec, 2015.

Digital Library

[25]

OCSP Responder. https://github.com/threema-ch/ocspresponder.

[26]

OCSP Stapling should not serve OCSP responses from the cache even after they expire. https://bz.apache.org/bugzilla/show_bug.cgi?id=62400.

[27]

Y. Pettersen. The Transport Layer Security (TLS) Multiple Certificate Status Request Extension. RFC 6961 (Proposed Standard), IETF, 2013.

[28]

A. Rowstron and P. Druschel. Pastry: Scalable, decentralized object location and routing for large-scale peer-to-peer systems. Middleware, 2001.

Digital Library

[29]

M. D. Ryan. Enhanced Certificate Transparency and End-to-End Encrypted Mail. NDSS, 2014.

[30]

A. Schulman, D. Levin, and N. Spring. RevCast: Fast, Private Certificate Revocation over FM Radio. CCS, 2014.

Digital Library

[31]

E. Stark, L.-S. Huang, D. Israni, C. Jackson, and D. Boneh. The Case for Prefetching and Prevalidating TLS Server Certificates. NDSS, 2012.

[32]

N. Sullivan. High-reliability OCSP stapling and why it matters. CloudFlare, 2017. https://blog.cloudflare.com/high-reliability-ocsp-stapling/.

[33]

Q. Scheitle, T. Chung, J. Hiller, O. Gasser, J. Naab, R. van Rijswijk-Deij, O. Hohlfeld, R. Holz, D. Choffnes, A. Mislove, and G. Carle. A First Look at Certification Authority Authorization (CAA). CCR, 48(2), 2018.

Digital Library

[34]

S. Santesson, M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960 (Proposed Standard), IETF, 2013.

[35]

E. Topalovic, B. Saeta, L.-S. Huang, C. Jackson, and D. Boneh. Towards Short-Lived Certificates. W2SP, 2012.

[36]

The Problem with OCSP Stapling and Must Staple and why Certificate Revocation is still broken. https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html.

[37]

B. VanderSloot, J. Amann, M. Bernhard, Z. Durumeric, M. Bailey, and J. A. Halderman. Towards a Complete View of the Certificate Ecosystem. IMC, 2016.

Digital Library

[38]

S. Yilek, E. Rescorla, H. Shacham, B. Enright, and S. Savage. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. IMC, 2009.

Digital Library

[39]

L. Zhu, J. Amann, and J. Heidemann. Measuring the Latency and Pervasiveness of TLS Certificate Revocation. PAM, 2016.

[40]

L. Zhang, D. Choffnes, T. Dumitraş, D. Levin, A. Mislove, A. Schulman, and C. Wilson. Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. IMC, 2014.

Digital Library

[41]

L. Zhang, D. Choffnes, T. Dumitraş, D. Levin, A. Mislove, A. Schulman, and C. Wilson. Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed. CACM, 61(3), https://cacm.acm.org/magazines/2018/3/225489-analysis-of-ssl-certificate-reissues-and-revocations-in-the-wake-of-heartbleed/fulltext, 2018.

Digital Library

Cited By

Li RZhang ZShao JLu RJia XWei G(2024)The Potential Harm of Email Delivery: Investigating the HTTPS Configurations of Webmail ServicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324660021:1(125-138)Online publication date: Jan-2024
https://doi.org/10.1109/TDSC.2023.3246600
Cerenius DKaller MBruhner CArlitt MCarlsson N(2024)Trust Issue(r)s: Certificate Revocation and Replacement Practices in the WildPassive and Active Measurement10.1007/978-3-031-56252-5_14(293-321)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56252-5_14
Friess JSchulmann HWaidner M(2023)Revocation Speedrun: How the WebPKI Copes with Fraudulent CertificatesProceedings of the ACM on Networking10.1145/36291481:CoNEXT3(1-20)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3629148
Show More Cited By

Index Terms

Is the Web Ready for OCSP Must-Staple?
1. Networks
  1. Network properties
    1. Network security
      1. Security protocols
  2. Network protocols
    1. Application layer protocols
    2. Transport protocols
2. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques

Recommendations

An End-to-End Measurement of Certificate Revocation in the Web's PKI
IMC '15: Proceedings of the 2015 Internet Measurement Conference

Critical to the security of any public key infrastructure (PKI) is the ability to revoke previously issued certificates. While the overall SSL ecosystem is well-studied, the frequency with which certificates are revoked and the circumstances under which ...
Read More
Impact of post-quantum hybrid certificates on PKI, common libraries, and protocols

In this work, we assessed the impact of post-quantum (PQ) cryptography on public key infrastructure (PKI). First, we modified a commercially available certification authority (CA) to issue 'hybrid' certificates (X.509 certificates with PQ extensions). ...
Read More
H-OCSP: A protocol to reduce the processing burden in online certificate status validation

Public-key cryptography is widely used as the underlying mechanism for securing many protocols and applications in the Internet. A Public Key Infrastructure (PKI) is required to securely deliver public-keys to widely-distributed users or systems. The ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '18: Proceedings of the Internet Measurement Conference 2018

October 2018

507 pages

ISBN:9781450356190

DOI:10.1145/3278532

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

CNS-1563320
CNS-1564143

Conference

IMC '18

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC '18: Internet Measurement Conference

October 31 - November 2, 2018

MA, Boston, USA

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
655
Total Downloads

Downloads (Last 12 months)54
Downloads (Last 6 weeks)5

Other Metrics

View Author Metrics

Citations

Cited By

Li RZhang ZShao JLu RJia XWei G(2024)The Potential Harm of Email Delivery: Investigating the HTTPS Configurations of Webmail ServicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.324660021:1(125-138)Online publication date: Jan-2024
https://doi.org/10.1109/TDSC.2023.3246600
Cerenius DKaller MBruhner CArlitt MCarlsson N(2024)Trust Issue(r)s: Certificate Revocation and Replacement Practices in the WildPassive and Active Measurement10.1007/978-3-031-56252-5_14(293-321)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56252-5_14
Friess JSchulmann HWaidner M(2023)Revocation Speedrun: How the WebPKI Copes with Fraudulent CertificatesProceedings of the ACM on Networking10.1145/36291481:CoNEXT3(1-20)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3629148
Yoon DChung TKim Y(2023)Delegation of TLS Authentication to CDNs using Revocable Delegated CredentialsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627144(113-123)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627144
Kumar RAsif SLee EBustamante F(2023)Each at its Own Pace: Third-Party Dependency and Centralization Around the WorldProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/35794377:1(1-29)Online publication date: 2-Mar-2023
https://dl.acm.org/doi/10.1145/3579437
Li RJia XZhang ZShao JLu RLin JJia XWei G(2023)A Longitudinal and Comprehensive Measurement of DNS Strict PrivacyIEEE/ACM Transactions on Networking10.1109/TNET.2023.326265131:6(2793-2808)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3262651
Ruan ZYe WXie YLi HZhang CWei L(2023)Private Status Retrieval for Blockchain-Based Certificate Revocation SystemICC 2023 - IEEE International Conference on Communications10.1109/ICC45041.2023.10278733(6565-6570)Online publication date: 28-May-2023
https://doi.org/10.1109/ICC45041.2023.10278733
Berbecaru DLioy A(2023)An Evaluation of X.509 Certificate Revocation and Related Privacy Issues in the Web PKI EcosystemIEEE Access10.1109/ACCESS.2023.329935711(79156-79175)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3299357
Kashaf ADou JBelova MApostolaki MAgarwal YSekar V(2023)A First Look at Third-Party Service Dependencies of Web Services in AfricaPassive and Active Measurement10.1007/978-3-031-28486-1_25(595-622)Online publication date: 21-Mar-2023
https://dl.acm.org/doi/10.1007/978-3-031-28486-1_25
Mueller T(2022)Let’s Re-Sign! Analysis and Equivocation-Resistant Distribution of OpenPGP Revocations2022 International Conference on Information Networking (ICOIN)10.1109/ICOIN53446.2022.9687160(34-39)Online publication date: 12-Jan-2022
https://doi.org/10.1109/ICOIN53446.2022.9687160
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents