scispace - formally typeset
Proceedings ArticleDOI

Risk assessment of X.509 certificate by evaluating Certification Practice Statements

01 Dec 2016-pp 501-506
TL;DR: A model which calculates the risk associated with X.509 certificates by evaluating Certificate Practice statement (CPS) document and by using certain trust criteria is suggested, which has application in detecting phishing websites which contain Https URL.
Abstract: Now a days, a lot of people and groups are using X.509 certificates to represent their identity, during online trade, so the level of purity and trustworthiness of these certificates becomes dubious. Hence, we have suggested a model which calculates the risk associated with X.509 certificates by evaluating Certificate Practice statement (CPS) document and by using certain trust criteria. For evaluating CPS document we have proposed a novel algorithm which locates certain attributes, in the CPS document. We are referring to these attributes from the prior paper of Omar and Lindsay. Our model categorizes risk in three levels-High, Medium and Low risk. It has application in detecting phishing websites which contain Https URL.
Topics: Certification Practice Statement (66%), Certificate policy (60%), X.509 (58%), Phishing (53%)
References
More filters

Proceedings ArticleDOI
18 May 2014-
TL;DR: This work designs, implements, and applies the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations, and implements and applies "frankencerts," synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints.
Abstract: Modern network security rests on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Distributed systems, mobile and desktop applications, embedded devices, and all of secure Web rely on SSL/TLS for protection against network attacks. This protection critically depends on whether SSL/TLS clients correctly validate X.509 certificates presented by servers during the SSL/TLS handshake protocol. We design, implement, and apply the first methodology for large-scale testing of certificate validation logic in SSL/TLS implementations. Our first ingredient is "frankencerts," synthetic certificates that are randomly mutated from parts of real certificates and thus include unusual combinations of extensions and constraints. Our second ingredient is differential testing: if one SSL/TLS implementation accepts a certificate while another rejects the same certificate, we use the discrepancy as an oracle for finding flaws in individual implementations. Differential testing with frankencerts uncovered 208 discrepancies between popular SSL/TLS implementations such as OpenSSL, NSS, CyaSSL, GnuTLS, PolarSSL, MatrixSSL, etc. Many of them are caused by serious security vulnerabilities. For example, any server with a valid X.509 version1 certificate can act as a rogue certificate authority and issue fake certificates for any domain, enabling man-in-the-middle attacks against MatrixSSL and GnuTLS. Several implementations also accept certificate authorities created by unauthorized issuers, as well as certificates not intended for server authentication. We also found serious vulnerabilities in how users are warned about certificate validation errors. When presented with an expired, self-signed certificate, NSS, Safari, and Chrome (on Linux) report that the certificate has expired - a low-risk, often ignored error - but not that the connection is insecure against a man-in-the-middle attack. These results demonstrate that automated adversarial testing with frankencerts is a powerful methodology for discovering security flaws in SSL/TLS implementations.

156 citations


Journal ArticleDOI
TL;DR: This paper provides users with quantitative information of the confidence a relying party can have about a certificate (QoCER) and presents a formal model of trust to calculate these values.
Abstract: The growing number of Public Key Infrastructure (PKI) and the increasing number of situations where partners of a transaction may carry certificates signed by different certification authority (CA) points out the problematic of trust between the different CAs. Several trust models, like the hierarchy model, cross-certification model, and bridge CA model were proposed in order to establish and extend the domain of trust of relying parties (RP). However, each model has disadvantages and especially the scalability in large open networks like Internet. In this paper, we provide users with quantitative information of the confidence a relying party can have about a certificate. We call this information quality of certificate (QoCER). QoCER depends on two parameters which are the quality of procedures announced in the certificate policy (CP) and the quality of CA (QoCA) that represents the evaluation of the CA commitment to its policy. QoCA is calculated based on the recommendation of different actors (audit agency, RP, etc.). QoCER is balanced by another information that represents the confidence on QoCA calculation. We present a formal model of trust to calculate these values. Copyright © 2010 John Wiley & Sons, Ltd.

19 citations


Journal Article
TL;DR: This paper presents a novel technique to detect web-fraud domains that utilize HTTPS and builds a classifier that detects such malicious domains with high accuracy.
Abstract: Web-fraud is one of the most unpleasant features of today’s Internet. Two well-known examples of fraudulent activities on the web are phishing and typosquatting. Their effects range from relatively benign (such as unwanted ads) to downright sinister (especially, when typosquatting is combined with phishing). This paper presents a novel technique to detect web-fraud domains that utilize HTTPS. To this end, we conduct the first comprehensive study of SSL certificates. We analyze certificates of legitimate and popular domains and those used by fraudulent ones. Drawing from extensive measurements, we build a classifier that detects such malicious domains with high accuracy.

17 citations


Book ChapterDOI
10 Sep 2009-
TL;DR: The PKI Policy Repository, PolicyBuilder, and PolicyReporter improve the consistency of certificate policy operations as actually practiced in compliance audits, grid accreditation, and policy mapping for bridging PKIs.
Abstract: The trustworthiness of any Public Key Infrastructure (PKI) rests upon the expectations for trust, and the degree to which those expectations are met. Policies, whether implicit as in PGP and SDSI/SPKI or explicitly required as in X.509, document expectations for trust in a PKI. The widespread use of X.509 in the context of global e-Science infrastructures, financial institutions, and the U.S. Federal government demands efficient, transparent, and reproducible policy decisions. Since current manual processes fall short of these goals, we designed, built, and tested computational tools to process the citation schemes of X.509 certificate policies defined in RFC 2527 and RFC 3647. Our PKI Policy Repository, PolicyBuilder, and PolicyReporter improve the consistency of certificate policy operations as actually practiced in compliance audits, grid accreditation, and policy mapping for bridging PKIs. Anecdotal and experimental evaluation of our tools on real-world tasks establishes their actual utility and suggests how machine-actionable policy might empower individuals to make informed trust decisions in the future.

16 citations


4


Posted Content
Abstract: Web-fraud is one of the most unpleasant features of today's Internet. Two well-known examples of fraudulent activities on the web are phishing and typosquatting. Their effects range from relatively benign (such as unwanted ads) to downright sinister (especially, when typosquatting is combined with phishing). This paper presents a novel technique to detect web-fraud domains that utilize HTTPS. To this end, we conduct the first comprehensive study of SSL certificates. We analyze certificates of legitimate and popular domains and those used by fraudulent ones. Drawing from extensive measurements, we build a classifier that detects such malicious domains with high accuracy.

14 citations