The state of Dutch SSL/TLS certificates

Article published by Ralph Moonen, Technical Director & Tom Tervoort, Security Analyst.

Transport Layer Security (TLS)1, also known as Secure Sockets Layer (SSL), is the most important security mechanism in use on the internet currently. It is a technology that has evolved over the past few years and has known quite a few vulnerabilities.

Authentication of websites is performed using so-called X.509-certificates that contain public keys, which are used to prove that a communication partner knows a corresponding private key. If the public key is short or can be cracked, the private key can become known, after which an attacker can impersonate the site and place themselves in the middle between a victim and the website, decrypting communication. If the certificate is not valid, we cannot know with certainty the identity of the communication partner. It is therefore imperative that TLS certificates are valid and secure. Periodically, Secura investigates the state of the certificates used for TLS in use in the Netherlands. Specifically, we look at the most common cryptographic algorithm, RSA2.

Gathering certificates

In order to investigate certificates, we performed a scan of most3 IPv4 addresses that are routed into The Netherlands, according to RIPE. Using OpenSSL we extracted as many certificates as we could find. In total a little less than 500.000 certificates were downloaded and analysed for various aspects, such as issuer, expiration dates, algorithms supported, key lengths, and weak keys.

Some numbers!
The most used certificate issuers are:

  1. 99194: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
  2. 66075: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
  3. 18047: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA
  4. 16528: C=US, ST=Someprovince, L=Sometown, O=none, OU=none, CN=localhost/emailAddress=webmaster@localhost
  5. 16300: C=TW, ST=HsinChu, L=HuKou, O=DrayTek Corp., OU=DrayTek Support, CN=Vigor Router

About half of all certificates given out by actual CA’s, the rest is self-signed or issued by an unaccredited CA. This in itself means that half of the certificates cannot be trusted.

In order to be able to set an unforgeable signature, it is important to use a secure cryptographic hash function. We see the following distribution of hash functions:

  • SHA-2-family: used by 77.7% of certificates
  • SHA-1: 20.8%
  • MD5: 1.5%

No attacks are known against any of the SHA-2 hash functions. However, SHA-1 is broken in theory and MD5 can be broken for the cost of about 50 cents of computing time per certificate.

Collisions

An RSA public key contains a term that consists of the product of two prime numbers. So its only factors are those two primes. Every number can be factorised into its prime factors. But generating a number p*q that is hard to factorise relies on generation of random numbers.

A common problem is that devices may generate their keys right after being booted for the first time, before the OS has been able to gather sufficient randomness. If two products p*q share a prime, you can even calculate their greatest common denominator (GCD) very easily using Euclid’s algorithm: [https://en.wikipedia.org/wiki/Euclidean_algorithm].

Some years ago, the scientists behind [https://factorable.net/] showed that many public keys in certificates share the same primes, due to bad random number generators, and can be cracked. Cracked keys means an attacker can impersonate this web site, and decrypt intercepted traffic. We thought it would be interesting to revisit this research and apply it to the Dutch IP space. Therefore we extracted the public keys from all Dutch certificates, and ran fastGCD. We have found no less than 113 broken certificates.

A closer look at these certificates show something interesting: all 113 are device certificates, apparently devices with weak cryptographic random number generators. If they had cryptographic random number generators that functioned correctly, we would certainly not find any collisions at all in a small data set of ~500.000. However we found 113, which is statistically very close to impossible unless the devices suffer from grave weaknesses in their PRNG’s.

Conclusion
If you use TLS, you must use good practices. We have found that approximately half of TLS users do not use it properly. A very small, but very significant percentage of public 1024-bit RSA keys can be cracked, showing that devices do not all have secure certificates. We do not know yet exactly which devices are affected and are contacting the vendors at this time.

We will publish an update and whitepaper when we have researched this issue a bit more and received response from vendors and affected Dutch organisations.

Resources
1. https://en.wikipedia.org/wiki/Transport_Layer_Security
2. https://en.wikipedia.org/wiki/RSA_(cryptosystem)
3. We excluded the large DSL and Fiber home ranges of KPN, Ziggo and others because they relate to private individuals.

Recent research

Would you like to stay up to date with the latest insights? Ralph Moonen, Technical Director at Secura, will provide a keynote during the Black Hat Sessions on 14 June 2018. He will present recent research that Secura performed regarding several topics, including the security of SSL certificates in the Netherlands, and the security of 4G voice communication (Voice-over-LTE, or VoLTE). We have discovered weaknesses in certain widely used devices and 4G-networks and will provide you with new insights into the risks. More information and registration: http://www.blackhatsessions.com/

@Secura 2018
Webdesign Studio HB / webdevelopment Medusa