First Steps to NetViz Nirvana: Evaluating Social Network Analysis ...
Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services...
Transcript of Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services...
![Page 1: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/1.jpg)
Chair of Network Architectures and ServicesDepartment of InformaticsTechnical University of Munich
Evaluating Network Security UsingInternet-wide Measurements
Oliver Gasser
Ph. D. Defense, Friday 24th May, 2019
Chairman: Prof. Dr. Jörg OttExaminers: Prof. Dr.-Ing. Georg Carle
Prof. Anja Feldmann, Ph. D.
![Page 2: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/2.jpg)
Motivation
2
![Page 3: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/3.jpg)
Motivation
3
![Page 4: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/4.jpg)
Motivation
3
![Page 5: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/5.jpg)
Motivation
3
![Page 6: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/6.jpg)
Motivation
The Internet
• Internet measurements can be leveraged to empirically assess security of• protocols,• devices,• implementations, and• configurations
• Vast IPv6 address space poses big challenge for Internet measurements
Goals
• Improve measurement methodology for Internet-wide security measurements• IPv4 and IPv6
• Empirically assess security of three different protocols• HTTPS• BACnet• IPMI
4
![Page 7: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/7.jpg)
Motivation
The Internet
• Internet measurements can be leveraged to empirically assess security of• protocols,• devices,• implementations, and• configurations
• Vast IPv6 address space poses big challenge for Internet measurements
Goals
• Improve measurement methodology for Internet-wide security measurements• IPv4 and IPv6
• Empirically assess security of three different protocols• HTTPS• BACnet• IPMI
4
![Page 8: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/8.jpg)
Research questions
5
![Page 9: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/9.jpg)
Research questions
RQ I
RQ II
RQ III
RQ IV
RQ V
6
![Page 10: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/10.jpg)
Research questions
RQ I: How can we perform Internet-scale IPv6 measurements?
ZMapv6 goscanner
RQ II
RQ III
RQ IV
RQ V
6
![Page 11: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/11.jpg)
Research questions
RQ I: How can we perform Internet-scale IPv6 measurements?
ZMapv6 goscanner
RQ II: How biased are address sources for IPv6 hitlists?
Passive sources Active sources Biases in sources IPv6 Hitlist Service
RQ III
RQ IV
RQ V
6
![Page 12: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/12.jpg)
Research questions
RQ I: How can we perform Internet-scale IPv6 measurements?
ZMapv6 goscanner
RQ II: How biased are address sources for IPv6 hitlists?
Passive sources Active sources Biases in sources IPv6 Hitlist Service
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
Certificate security HTTPS security
RQ IV
RQ V
6
![Page 13: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/13.jpg)
Research questions
RQ I: How can we perform Internet-scale IPv6 measurements?
ZMapv6 goscanner
RQ II: How biased are address sources for IPv6 hitlists?
Passive sources Active sources Biases in sources IPv6 Hitlist Service
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
Certificate security HTTPS security
RQ IV: Are BACnet devices vulnerable to amplification attacks?
Deployment Amplification Notification
RQ V
6
![Page 14: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/14.jpg)
Research questions
RQ I: How can we perform Internet-scale IPv6 measurements?
ZMapv6 goscanner
RQ II: How biased are address sources for IPv6 hitlists?
Passive sources Active sources Biases in sources IPv6 Hitlist Service
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
Certificate security HTTPS security
RQ IV: Are BACnet devices vulnerable to amplification attacks?
Deployment Amplification Notification
RQ V: Are IPMI devices vulnerable to MitM attacks?
Deployment TLS security
6
![Page 15: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/15.jpg)
Research questions
RQ I: How can we perform Internet-scale IPv6 measurements? Chapter 3
ZMapv6 goscanner
RQ II: How biased are address sources for IPv6 hitlists? Chapter 4
Passive sources Active sources Biases in sources IPv6 Hitlist Service
RQ III: Are HTTPS servers still vulnerable to MitM attacks? Chapter 5
Certificate security HTTPS security
RQ IV: Are BACnet devices vulnerable to amplification attacks? Chapter 6
Deployment Amplification Notification
RQ V: Are IPMI devices vulnerable to MitM attacks? Chapter 7
Deployment TLS security
6
![Page 16: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/16.jpg)
Research questions
RQ I: How can we perform Internet-scale IPv6 measurements? Chapter 3
ZMapv6 goscanner
RQ II: How biased are address sources for IPv6 hitlists? Chapter 4
Passive sources Active sources Biases in sources IPv6 Hitlist Service
RQ III: Are HTTPS servers still vulnerable to MitM attacks? Chapter 5
Certificate security HTTPS security
RQ IV: Are BACnet devices vulnerable to amplification attacks? Chapter 6
Deployment Amplification Notification
RQ V: Are IPMI devices vulnerable to MitM attacks? Chapter 7
Deployment TLS security
6
![Page 17: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/17.jpg)
RQ II: How biased are address sources forIPv6 hitlists?
7
![Page 18: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/18.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
Motivation
• IPv6 address space too large to perform brute-force measurements• Assemble lists of IPv6 target addresses: IPv6 hitlists
Measurements & analyses
• Passive and active measurements• Empirical analysis of different types of biases
• Weekly patterns• Different host populations• Different number of addresses• Over-representation of certain prefixes
8
![Page 19: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/19.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
Motivation
• IPv6 address space too large to perform brute-force measurements• Assemble lists of IPv6 target addresses: IPv6 hitlists
Measurements & analyses
• Passive and active measurements• Empirical analysis of different types of biases
• Weekly patterns• Different host populations• Different number of addresses• Over-representation of certain prefixes
8
![Page 20: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/20.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
IPv6 hitlist passive sources: new IPv6 addresses per day
2015
-09-
03
2015
-09-
04
2015
-09-
05
2015
-09-
06
2015
-09-
07
2015
-09-
08
2015
-09-
09
2015
-09-
10
2015
-09-
11
2015
-09-
12
2015
-09-
13
2015
-09-
14
2015
-09-
15
2015
-09-
16
Date
0
10
20
30
40
50
60
70
80
90
100%
of
uniq
ue IPs
per
day t
hat
are
new
WeekendWeekend WeekendWeekend
0
10
20
30
40
50
60
70
80
90
100
IXP
MWN
• Large share of new addresses each day hints at privacy extensions
9
![Page 21: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/21.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
IPv6 hitlist passive sources: new IPv6 addresses per day
2015
-09-
03
2015
-09-
04
2015
-09-
05
2015
-09-
06
2015
-09-
07
2015
-09-
08
2015
-09-
09
2015
-09-
10
2015
-09-
11
2015
-09-
12
2015
-09-
13
2015
-09-
14
2015
-09-
15
2015
-09-
16
Date
0
10
20
30
40
50
60
70
80
90
100%
of
uniq
ue IPs
per
day t
hat
are
new
WeekendWeekend WeekendWeekend
0
10
20
30
40
50
60
70
80
90
100
IXP
MWN
• Large share of new addresses each day hints at privacy extensions
9
![Page 22: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/22.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
IPv6 hitlist passive vs. active sources: Hamming weight distribution
0
2
4
6
8
10
40
42N (31.5, 15.75)
Frequency
[%
]
0 10 20 30 40 50 60Number of IID bits set to '1' (IXP)
N (31.5, 15.75)
Number of IID bits set to '1' (Traceroute)0
2
4
6
8
10
40
42
Frequency
[%
]
0 10 20 30 40 50 60
• Different host populations: clients at IXP (privacy extensions) vs. routers (manually as-signed addresses)
10
![Page 23: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/23.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
IPv6 hitlist passive vs. active sources: Hamming weight distribution
0
2
4
6
8
10
40
42N (31.5, 15.75)
Frequency
[%
]
0 10 20 30 40 50 60Number of IID bits set to '1' (IXP)
N (31.5, 15.75)
Number of IID bits set to '1' (Traceroute)0
2
4
6
8
10
40
42
Frequency
[%
]
0 10 20 30 40 50 60
• Different host populations: clients at IXP (privacy extensions) vs. routers (manually as-signed addresses)
10
![Page 24: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/24.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
IPv6 hitlist passive vs. active sources: Hamming weight distribution
0
2
4
6
8
10
40
42N (31.5, 15.75)
Frequency
[%
]
0 10 20 30 40 50 60Number of IID bits set to '1' (IXP)
N (31.5, 15.75)
Number of IID bits set to '1' (Traceroute)0
2
4
6
8
10
40
42
Frequency
[%
]
0 10 20 30 40 50 60
• Different host populations: clients at IXP (privacy extensions) vs. routers (manually as-signed addresses)
10
![Page 25: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/25.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
IPv6 hitlist active sources: Cumulative address runup
Domainlists
DNS ANY
CT
AXFR
Bitnodes
RIPE Atlas
Traceroute
60 M
50 M
40 M
30 M
10 M
20 M
2017-08
2017-10
2017-12
2018-02
2018-04
• Many addresses from domainlists, CT, and traceroutes• Rapid increase of traceroute addresses due to CPE routers
11
![Page 26: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/26.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
IPv6 hitlist active sources: Cumulative address runup
Domainlists
DNS ANY
CT
AXFR
Bitnodes
RIPE Atlas
Traceroute
60 M
50 M
40 M
30 M
10 M
20 M
2017-08
2017-10
2017-12
2018-02
2018-04
• Many addresses from domainlists, CT, and traceroutes• Rapid increase of traceroute addresses due to CPE routers
11
![Page 27: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/27.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
Taxonomy
• Alias: another address of the same host• Aliased prefix: whole prefix bound to the same host• Bias: some hosts overrepresented due to aliased prefixes
Aliased prefix detection
2001:0db8:0407:8000::/64
2001:0db8:0407:8000: 0 151:2900:77e9:03a82001:0db8:0407:8000: 1 5ab:3855:92a0:2341
2001:0db8:0407:8000: e aae:cb10:9321:ba762001:0db8:0407:8000: f 693:2443:915e:1d2e
16 branches (random IPs)
12
![Page 28: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/28.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
Taxonomy
• Alias: another address of the same host• Aliased prefix: whole prefix bound to the same host• Bias: some hosts overrepresented due to aliased prefixes
Aliased prefix detection
2001:0db8:0407:8000::/64
2001:0db8:0407:8000: 0 151:2900:77e9:03a82001:0db8:0407:8000: 1 5ab:3855:92a0:2341
2001:0db8:0407:8000: e aae:cb10:9321:ba762001:0db8:0407:8000: f 693:2443:915e:1d2e
16 branches (random IPs)
12
![Page 29: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/29.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
Detected aliased prefixes
• Only 3.2 % of prefixes are aliased• But 46.6 % of addresses are in aliased prefixes→ bias
13
![Page 30: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/30.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
Detected aliased prefixes
• Only 3.2 % of prefixes are aliased• But 46.6 % of addresses are in aliased prefixes→ bias
13
![Page 31: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/31.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
• Daily publication• Responsive IPv6 addresses for 5 protocol-port combinations• Aliased and non-aliased IPv6 prefixes
• Dozens of fellow researchers have access
14
![Page 32: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/32.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
• Daily publication• Responsive IPv6 addresses for 5 protocol-port combinations• Aliased and non-aliased IPv6 prefixes
• Dozens of fellow researchers have access
14
![Page 33: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/33.jpg)
RQ II: How biased are address sources for IPv6 hitlists?
Summary
• Identified different types of biases in IPv6 hitlist sources• Distort targets by almost 50 %• Biases can be detected
• IPv6 Hitlist Service provides fellow researchers with access to daily IPv6 address data
Publications (this research question)
• Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczynski, Stephen D. Strowes, Luuk Hendriks, and Georg Carle, “Clustersin the Expanse: Understanding and Unbiasing IPv6 Hitlists”, IMC’18.
• Oliver Gasser, Quirin Scheitle, Sebastian Gebhard, and Georg Carle, “Scanning the IPv6 Internet: Towards a Comprehensive Hitlist”, TMA’16.
15
![Page 34: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/34.jpg)
Research questions
RQ I: How can we perform Internet-scale IPv6 measurements? Chapter 3
ZMapv6 goscanner
RQ II: How biased are address sources for IPv6 hitlists? Chapter 4
Passive sources Active sources Biases in sources IPv6 Hitlist Service
RQ III: Are HTTPS servers still vulnerable to MitM attacks? Chapter 5
Certificate security HTTPS security
RQ IV: Are BACnet devices vulnerable to amplification attacks? Chapter 6
Deployment Amplification Notification
RQ V: Are IPMI devices vulnerable to MitM attacks? Chapter 7
Deployment TLS security
16
![Page 35: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/35.jpg)
RQ III: Are HTTPS servers still vulnerable toMitM attacks?
17
![Page 36: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/36.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
18
![Page 37: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/37.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
Motivation
• HTTPS ecosystem experienced many security issues which allow for MitM attacks (e.g.,misissued certificates, weak keys, CA breaches)
• A number of HTTPS security extensions have been proposed to make the HTTPS ecosys-tem more secure
Measurements & analyses
• Active measurements• Empirical analysis of different HTTPS ecosystem weaknesses
• Insecure certificates• Downgrade from HTTPS to HTTP• Misissued certificates
19
![Page 38: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/38.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
Motivation
• HTTPS ecosystem experienced many security issues which allow for MitM attacks (e.g.,misissued certificates, weak keys, CA breaches)
• A number of HTTPS security extensions have been proposed to make the HTTPS ecosys-tem more secure
Measurements & analyses
• Active measurements• Empirical analysis of different HTTPS ecosystem weaknesses
• Insecure certificates• Downgrade from HTTPS to HTTP• Misissued certificates
19
![Page 39: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/39.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
Baseline Requirements (BRs)
• Rules regarding certificates and issuing processes which CAs adhere to• Devised within the CA/Browser Forum• Each requirement has an enforcement date
Analyze BR adherence of all certificates in Certificate Transparency (CT) logs
• Must not use 1024 bit keys• Must not use SHA-1 signature algorithm• Must contain SAN in addition to CN
20
![Page 40: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/40.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
Baseline Requirements (BRs)
• Rules regarding certificates and issuing processes which CAs adhere to• Devised within the CA/Browser Forum• Each requirement has an enforcement date
Analyze BR adherence of all certificates in Certificate Transparency (CT) logs
• Must not use 1024 bit keys• Must not use SHA-1 signature algorithm• Must contain SAN in addition to CN
20
![Page 41: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/41.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
BR violations of certificates in CT logs
1996
-01
1998
-01
2000
-01
2002
-01
2004
-01
2006
-01
2008
-01
2010
-01
2012
-01
2014
-01
2016
-01
2018
-01
2020
-01
Time
101
102
103
104
105
106
107
108Va
lid C
T ce
rtific
ates
at t
ime
1024-bit RSA keysSHA-1 sig. alg.Only CN, no SAN
• Enforcement of stricter rules helps curb the number of insecure certificates• But: Many valid insecure certificates are found in CT logs
21
![Page 42: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/42.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
BR violations of certificates in CT logs
1996
-01
1998
-01
2000
-01
2002
-01
2004
-01
2006
-01
2008
-01
2010
-01
2012
-01
2014
-01
2016
-01
2018
-01
2020
-01
Time
101
102
103
104
105
106
107
108Va
lid C
T ce
rtific
ates
at t
ime
1024-bit RSA keysSHA-1 sig. alg.Only CN, no SAN
• Enforcement of stricter rules helps curb the number of insecure certificates• But: Many valid insecure certificates are found in CT logs
21
![Page 43: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/43.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
HTTP Strict Transport Security (HSTS) deployment
• Significant usage among top domains• Preloading highly used among top domains, smaller usage among general population
22
![Page 44: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/44.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
HTTP Strict Transport Security (HSTS) deployment
• Significant usage among top domains• Preloading highly used among top domains, smaller usage among general population
22
![Page 45: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/45.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
HTTP Public Key Pinning (HPKP) deployment
• Low usage among general population• High usage through preloading among top domains
23
![Page 46: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/46.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
HTTP Public Key Pinning (HPKP) deployment
• Low usage among general population• High usage through preloading among top domains
23
![Page 47: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/47.jpg)
RQ III: Are HTTPS servers still vulnerable to MitM attacks?
Summary
• Thousands of insecure certificates are still valid• High usage of HSTS and HPKP among top domains, mostly due to preloading• Insecure certificates and lack of HTTPS security techniques make hosts vulnerable to
Man-in-the-Middle attacks
Publications (this research question)
• Oliver Gasser, Benjamin Hof, Max Helm, Maciej Korczynski, Ralph Holz, and Georg Carle, “In Log We Trust: RevealingPoor Security Practices with Certificate Transparency Logs and Internet Measurements”, PAM’18.
• Quirin Scheitle, Oliver Gasser, Theodor Nolte, Johanna Amann, Lexi Brent, Georg Carle, Ralph Holz, Thomas C.Schmidt, and Matthias Wählisch, “The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem”,IMC’18.
• Johanna Amann, Oliver Gasser, Quirin Scheitle, Lexi Brent, Georg Carle, and Ralph Holz, “Mission Accomplished?HTTPS Security after DigiNotar”, IMC’17.
24
![Page 48: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/48.jpg)
Comparison to related work
25
![Page 49: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/49.jpg)
Comparison to related work
Holz (2014) [8] Durumeric (2017) [2] Fiebig (2017) [3] Hendriks (2019) [7]
IPv6 measurements 7 7 3 3
Bias analyses 7 7 3 7
HTTPS security analyses 3 3 7 7
Reproducibility efforts 7 7 3 7
Measurement service 7 3 7 7
26
![Page 50: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/50.jpg)
Comparison to related work
Holz (2014) [8] Durumeric (2017) [2] Fiebig (2017) [3] Hendriks (2019) [7] This dissertation
IPv6 measurements 7 7 3 3 3
Bias analyses 7 7 3 7 3
HTTPS security analyses 3 3 7 7 3
Reproducibility efforts 7 7 3 7 3
Measurement service 7 3 7 7 3
26
![Page 51: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/51.jpg)
Key contributions
27
![Page 52: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/52.jpg)
Key contributions
• Internet measurement methodology• Largest IPv6 hitlist to date• Extensive bias analyses in hitlist sources• IPv6 Hitlist Service
• HTTPS security• Thousands of insecure certificates• Millions of domains lacking HTTPS security extensions• Man-in-the-Middle attacks still possible
Publications (this talk)
• Oliver Gasser, Benjamin Hof, Max Helm, Maciej Korczynski, Ralph Holz, and Georg Carle, “In Log We Trust: Revealing Poor Security Practiceswith Certificate Transparency Logs and Internet Measurements”, PAM’18. Best Paper Award.
• Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczynski, Stephen D. Strowes, Luuk Hendriks, and Georg Carle, “Clustersin the Expanse: Understanding and Unbiasing IPv6 Hitlists”, IMC’18.
• Quirin Scheitle, Oliver Gasser, Theodor Nolte, Johanna Amann, Lexi Brent, Georg Carle, Ralph Holz, Thomas C. Schmidt, and Matthias Wäh-lisch, “The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem”, IMC’18.
• Johanna Amann, Oliver Gasser, Quirin Scheitle, Lexi Brent, Georg Carle, and Ralph Holz, “Mission Accomplished? HTTPS Security afterDigiNotar”, IMC’17. Community Contribution Award, IRTF Applied Networking Research Prize.
• Oliver Gasser, Quirin Scheitle, Sebastian Gebhard, and Georg Carle, “Scanning the IPv6 Internet: Towards a Comprehensive Hitlist”, TMA’16.
28
![Page 53: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/53.jpg)
Key contributions
• Internet measurement methodology• Largest IPv6 hitlist to date• Extensive bias analyses in hitlist sources• IPv6 Hitlist Service
• HTTPS security• Thousands of insecure certificates• Millions of domains lacking HTTPS security extensions• Man-in-the-Middle attacks still possible
Publications (this talk)
• Oliver Gasser, Benjamin Hof, Max Helm, Maciej Korczynski, Ralph Holz, and Georg Carle, “In Log We Trust: Revealing Poor Security Practiceswith Certificate Transparency Logs and Internet Measurements”, PAM’18. Best Paper Award.
• Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczynski, Stephen D. Strowes, Luuk Hendriks, and Georg Carle, “Clustersin the Expanse: Understanding and Unbiasing IPv6 Hitlists”, IMC’18.
• Quirin Scheitle, Oliver Gasser, Theodor Nolte, Johanna Amann, Lexi Brent, Georg Carle, Ralph Holz, Thomas C. Schmidt, and Matthias Wäh-lisch, “The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem”, IMC’18.
• Johanna Amann, Oliver Gasser, Quirin Scheitle, Lexi Brent, Georg Carle, and Ralph Holz, “Mission Accomplished? HTTPS Security afterDigiNotar”, IMC’17. Community Contribution Award, IRTF Applied Networking Research Prize.
• Oliver Gasser, Quirin Scheitle, Sebastian Gebhard, and Georg Carle, “Scanning the IPv6 Internet: Towards a Comprehensive Hitlist”, TMA’16.
28
![Page 54: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/54.jpg)
Bibliography
[1] Johanna Amann, Oliver Gasser, Quirin Scheitle, Lexi Brent, Georg Carle, and Ralph Holz. “MissionAccomplished? HTTPS Security after DigiNotar”. In: IMC’17. Community Contribution Award, IRTFApplied Networking Research Prize. ACM. London, United Kingdom, Nov. 2017, pp. 325–340.
[2] Zakir Durumeric. “Fast Internet-Wide Scanning: A New Security Perspective”. PhD thesis. Universityof Michigan, 2017.
[3] Tobias Fiebig. “An Empirical Evaluation of Misconfiguration in Internet Services”. PhD thesis.Technische Universität Berlin, 2017.
[4] Oliver Gasser, Benjamin Hof, Max Helm, Maciej Korczynski, Ralph Holz, and Georg Carle. “In Log WeTrust: Revealing Poor Security Practices with Certificate Transparency Logs and InternetMeasurements”. In: PAM’18. Best Paper Award. Springer. Berlin, Germany, Mar. 2018, pp. 173–185.
[5] Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczynski, Stephen D. Strowes,Luuk Hendriks, and Georg Carle. “Clusters in the Expanse: Understanding and Unbiasing IPv6Hitlists”. In: IMC’18. ACM. Boston, MA, USA, Nov. 2018. DOI: 10.1145/3278532.3278564.
[6] Oliver Gasser, Quirin Scheitle, Sebastian Gebhard, and Georg Carle. “Scanning the IPv6 Internet:Towards a Comprehensive Hitlist”. In: TMA’16. IFIP. Louvain-la-Neuve, Belgium, Apr. 2016.
[7] Luuk Hendriks. “Measuring IPv6 Resilience and Security”. PhD thesis. University of Twente, 2019.
[8] Ralph-Günther Holz. “Empirical Analysis of Public Key Infrastructures and Investigation ofImprovements”. PhD thesis. Technical University of Munich, 2014.
29
![Page 55: Evaluating Network Security Using [.5ex] Internet …...Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security](https://reader033.fdocuments.net/reader033/viewer/2022050511/5f9bc84c7774ed7fa429dc56/html5/thumbnails/55.jpg)
Bibliography
[9] IMC’18. ACM. Boston, MA, USA, Nov. 2018.
[10] Quirin Scheitle, Oliver Gasser, Theodor Nolte, Johanna Amann, Lexi Brent, Georg Carle, Ralph Holz,Thomas C. Schmidt, and Matthias Wählisch. “The Rise of Certificate Transparency and ItsImplications on the Internet Ecosystem”. In: IMC’18. ACM. Boston, MA, USA, Nov. 2018,pp. 343–349. ISBN: 978-1-4503-5619-0. DOI: 10.1145/3278532.3278562.
30