A Solution for Preventing the Rogue Certificate Attack

Authors

  • Sergey E. Abrahamyan Institute for Informatics and Automation Problems of NAS RA
  • Arman G. Zakaryan American University of Armenia

DOI:

https://doi.org/10.51408/1963-0052

Keywords:

HTTPS, TLS, Digital Certificates, Masquerade Attack, Rogue Certificate Attack, Security

Abstract

In today’s online world, internet security heavily relies on the trust in Certificate Authorities. Modern browsers and operating systems provide a comprehensive list to their users, which includes all the CAs they trust by default. This could turn into a serious problem when even one of the CAs is compromised and/or goes rogue. It is especially relevant for enterprise applications, as they are more likely to be targeted for this kind of attack. In this paper, we propose a solution which can mitigate this kind of attack against large organizations. We also discuss the security of the proposed method, offering acceptable security/performance tradeoff.

References

C. Evans, C. Palmer and R. Sleevi, Public Key Pinning Extension for HTTP, IETF, RFC 7469, doi:10.17487/RFC7469, April 2015.

R. Palmer, “HTTP-Based Public Key Pinning (removed)”, retrieved from https://www.chromestatus.com/feature/5903385005916160, 2018.

J.Hodges, C. Jackson and A. Barth, “HSTS Policy”, HTTP Strict Transport Security (HSTS), IETF. doi:10.17487/RFC6797. RFC 6797. Retrieved 31 January 2018.

B. Laurie, A. Langley and E. Kasper, “Certificate Transparency”, IETF. doi:10.17487/RFC6962. ISSN 2070-1721. RFC 6962, June 2013

. [5] R. Barnes,“DANE: Taking TLS Authentication to the Next Level Using DNSSEC”, IETF Journal, October 6, 2011, Retrieved August 5, 2018.

D. Wendlandt, D. G. Andersen and A. Perrig, “Perspectives: Improving SSH-style host authentication with multi-path probing”, In Proc. of USENIX’08, vol. 200, pp. 321-334, 2008.

Z. Dong, K. Kane and J. Camp, “Detection of rogue certificates from trusted certificate authorities using deep neural networks”, ACM Transactions on Privacy and Security, vol. 19 no. 2, Article no. 5., https://doi.org/10.1145/2975591, September 2016.

D. Fisher, “DigiNotar says its CA infrastructure was compromised”, Retrieved from https:// threatpost.com/diginotar-says-its-ca-infrastructure-was-compromised083011/75594/, 2011.

Z. Durumeric, J. Kasten, M. Bailey and J. Alex Halderman, “Analysis of the HTTPS certificate ecosystem”, In Proc. of IMC’13, ACM, pp. 291-304, 2013.

Arman Zakaryan and Sergey Abrahamyan, Online. [Available]: https://github.com/armzak1/rogue certificate detector

Downloads

Published

2021-12-10

How to Cite

Abrahamyan, S. E., & Zakaryan, A. G. (2021). A Solution for Preventing the Rogue Certificate Attack. Mathematical Problems of Computer Science, 53, 49–56. https://doi.org/10.51408/1963-0052