DSTC: DNS-based Strict TLS Configurations

Most TLS clients such as modern web browsers enforce coarse-grained TLS security configurations. They support legacy versions of the protocol that have known design weaknesses, and weak ciphersuites that provide fewer security guarantees (e.g. non Forward-Secrecy), mainly to provide backward compatibility. This opens doors to downgrade attacks, as is the case of the POODLE attack [18], which exploits the client's silent fallback to downgrade the protocol version to exploit the legacy version's flaws. To achieve a better balance between security and backward compatibility, we propose a DNS-based mechanism that enables TLS servers to advertise their support for the latest version of the protocol and strong ciphersuites (that provide Forward-Secrecy and Authenticated-Encryption simultaneously). This enables clients to consider prior knowledge about the servers' TLS configurations to enforce a fine-grained TLS configurations policy. That is, the client enforces strict TLS configurations for connections going to the advertising servers, while enforcing default configurations for the rest of the connections. We implement and evaluate the proposed mechanism and show that it is feasible, and incurs minimal overhead. Furthermore, we conduct a TLS scan for the top 10,000 most visited websites globally, and show that most of the websites can benefit from our mechanism

Search for Trust: An Analysis and Comparison of CA System Alternatives and Enhancements

The security of the Public Key Infrastructure has been reevaluated in response to Certification Authority (CA) compromise which resulted in the circulation of fraudulent certificates. These rogue certificates can and have been used to execute Man-in-the-Middle attacks and gain access to users’ sensitive information. In wake of these events, there has been a call for change to the extent of either securing the current system or altogether replacing it with an alternative design. This paper will explore the following proposals which have been put forth to replace or improve the CA system with the goal of aiding in the prevention and detection of MITM attacks and improving the trust infrastructure: Convergence, Perspectives, Mutually Endorsed Certification Authority Infrastructure (MECAI), DNS-Based Authentication of Named Entities (DANE), DNS Certification Authority Authorization (CAA) Resource Records, Public Key Pinning, Sovereign Keys, and Certificate Transparency. Provided are brief descriptions of each proposal, along with an indication of the pros and cons of each system. Following this, a new metric is applied which, according to a set of criteria, ranks each proposal and gives readers an idea of the costs and benefits of implementing the proposed system and the potential strengths and weaknesses of the design. We conclude with recommendations for further research and remark on the proposals with the most potential going forward

User-Defined Key Pair Protocol

E-commerce applications have flourished on the Internet because of their ability to perform secure transactions in which the identities of the two parties could be verified and the communications between them encrypted. The Transport Layer Security (TLS) protocol is implemented to make secure transactions possible by creating a secure tunnel between the user\u27s browser and the server with the help of Certificate Authorities (CAs). CAs are a third party that can be trusted by both the user\u27s browser and the server and are responsible for establishing secured communication between them. The major limitation of this model is the use of CAs as single points of trust that can introduce severe security breaches globally. In my thesis, I provide a high-level design for a new protocol in the application layer of the TCP/IP suite that will build a secure tunnel between the user\u27s browser and the server without the involvement of any third party. My proposed protocol is called User-Defined Key Pair (UDKP), and its objective is to build a secure tunnel between the user\u27s browser and the server using a public/private key pair generated for the user on the fly inside the user\u27s browser based on the user credential information. This key pair will be used by the protocol instead of the server certificate as the starting point for creating the secure tunnel

Can i take your subdomain? Exploring same-site attacks in the modern web

Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention from the research community. In this paper we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including cookies, CSP, CORS, postMessage, and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications

Providing public key certificate authorization and policy with DNS

Public Key Infrastructure (PKI) instills trust in certificates commonly used to secure email, web traffic, VPNs, file transfers, and other forms of network communication. Due to a number of successful attacks against certificate authorities, malicious parties have illegitimately acquired trusted certificates for widely used online services, government agencies, and other important organizations. These incidents, and the potential for future attacks of a similar nature, present notable risk to PKI and global security as a whole. The proposed Certificate Policy Framework (CPF) offers a mechanism for organizations to control which certificates are authorized to authenticate their services. This DNS-based protocol allows organizations to publish an access control list for any given hostname, where each entry in the ACL identifies a certificate and indicates whether the certificate should be blocked, warned upon, or permitted. Similarly, any CPF-compatible application can query DNS for CPF records to verify the integrity of the certificate from an authoritative viewpoint. In this work, we review limitations in PKI and certificate-based security and review existing work in this area. We will also discuss CPF in greater detail and demonstrate how it can be used to augment PKI to strengthen this widely adopted technology

Secure Communication Protocols, Secret Sharing and Authentication Based on Goldbach Partitions

This thesis investigates the use of Goldbach partitions for secure communication protocols and for finding large prime numbers that are fundamental to these protocols. It is proposed that multiple third parties be employed in TLS/SSL and secure communication protocols to distribute the trust and eliminate dependency on a single third party, which decreases the probability of forging a digital certificate and enhances the overall security of the system. Two methods are presented in which the secret key is not compromised until all third parties involved in the process are compromised. A new scheme to distribute secret shares using two third parties in the piggy bank cryptographic paradigm is proposed. Conditions under which Goldbach partitions are efficient in finding large prime numbers are presented. A method is also devised to sieve prime numbers which uses less number of operations as compared to the Sieve of Eratosthenes.Electrical Engineerin