Is a HTTPS Webpage as Secure as Expected?
Encrypted communication on the Internet is most commonly realized by Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Webpages communicating sensitive content, including internet banking, webshops, etc. use the HTTPS protocol which is based on this. E-mail servers, when communicating with clients in a secure manner, use the relevant e-mail transfer protocols such as SMTP, IMAP or POP3 over SSL/TLS, too.
The basis of such communication, public-key encryption, is easy to understand. Suppose that Alice wants to communicate with Bob confidentially. She needs a certificate binding Bob’s name to a public key. Bob has a private key which is treated confidentially by him, and not revealed to anyone. With this key he can prove to Alice that it is indeed him on the other side. There is a risk, however: of course, any other (possibly malicious) entity who gets an access to Bob’s private key can pretend to be Bob.
Connecting to a website over HTTPS, when we see the “lock“ icon in our browser, we are confident that we're communicating with the entity, say, our bank, in a secure manner. Implicitly we are sure that the other side is aware about the issue mentioned above and takes care about the private keys.
In current practice, however, the situation is more complicated. Web pages are often hosted at least in part by third-party hosting providers or content-delivery networks. Thus the hardware system we communicate with belongs to this third party, which may host many other pages of completely different entities. And, in order to establish the desired secure communication, this third party has to get hold of the private keys of these entities. In the current practice, many providers overtake even the management of keys from their clients. Certainly all of this gives rise to profound and possibly severe security implications.
F. Cangialosi and his coworkers have recently performed [1] the first ever Internet-wide analysis of private key sharing between websites and third-party hosting providers. They have found that 76.5% of all organizations identified by them share at least one private key with a third-party hosting provider. Although 62.9% rely on a single provider many organizations share one or more of their keys with tens to thousands of organizations. They have also studied the effect of this sharing on certificate management, such as revoking and reissuing compromised certificates. They found that “Surprisingly, while sharing private keys with a third party is a clear violation of the semantics and security properties of online authentication, in practice, overall certificate management improves with outsourcing.” Altogether the research reveals a rather complex picture of the HTTPS ecosystem and its potential issues due to private key sharing and elucidates a number of challenges to cope with in the future to maintain the possibility of secure web communication.
To achieve these relevant results, F. Cangialosi and his coworkers have developed [1] a range of novel techniques of data analysis and applied them to a broad range of data. Amongst their datasets, whois data are of utmost importance as they have to identify ownership of numerous analyzed Internet domains. However, as they point out, “Unfortunately, the WHOIS infrastructure is distributed across registrars and resellers, and there is no standard format. Additionally, obtaining WHOIS data at scale is challenging, as most registrars rate-limit queries.” Luckily, they could rely on bulk WHOIS services, including WhoisXML API. The data purchased from us were one of the pillars of their investigations.
References
[1]
Frank Cangialosi, Taejoong Chung, David Choffnes, Dave
Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. Measurement and analysis of private key sharing in
the HTTPS ecosystem. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications
Security - CCS’16. ACM Press, 2016.
https://doi.org/10.1145/2976749.2978301