Exploiting TLS Client Authentication for Widespread User Tracking

Author:

Foppe Lucas1,Martin Jeremy2,Mayberry Travis1,Rye Erik C.1,Brown Lamont1

Affiliation:

1. U.S. Naval Academy

2. The MITRE Corporation, U.S. Naval Academy

Abstract

Abstract TLS, and SSL before it, has long supported the option for clients to authenticate to servers using their own certificates, but this capability has not been widely used. However, with the development of its Push Notification Service, Apple has deployed this technology on millions of devices for the first time. Wachs et al. [42] determined iOS client certificates could be used by passive network adversaries to track individual devices across the internet. Subsequently, Apple has patched their software to fix this vulnerability. We show these countermeasures are not effective by demonstrating three novel active attacks against TLS Client Certificate Authentication that are successful despite the defenses. Additionally, we show these attacks work against all known instances of TLS Client Certificate Authentication, including smart cards like those widely deployed by the Estonian government as part of their Digital ID program. Our attacks include in-path man-in-the-middle versions as well as a more powerful on-path attack that can be carried out without full network control.

Publisher

Walter de Gruyter GmbH

Subject

General Medicine

Reference46 articles.

1. [1] cipherscan. https://github.com/mozilla/cipherscan. Accessed: 2017-12-28.

2. [2] CVE-2017-2383. https://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2017-2383,. Accessed: 2017-10-17.

3. [3] CVE-2017-13863. https://support.apple.com/enus/HT208112,. Accessed: 2018-02-24.

4. [4] CVE-2017-13864. https://nvd.nist.gov/vuln/detail/CVE-2017-13864,. Accessed: 2018-02-24.

5. [5] URL http://dbsign.com/products/dbsign/uws.

Cited by 4 articles. 订阅此论文施引文献 订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献

1. How Far is User Privacy Leakage: A Revisit of Client Certificate Usage;2023 8th International Conference on Cloud Computing and Big Data Analytics (ICCCBDA);2023-04-26

2. Old Habits Die Hard: A Sober Look at TLS Client Certificates in the Real World;2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom);2021-10

3. Illuminate the Shadow: A Comprehensive Study of TLS Client Certificate Ecosystem in the Wild;2021 28th International Conference on Telecommunications (ICT);2021-06-01

4. Application Transiency: Towards a Fair Trade of Personal Information for Application Services;Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering;2019

同舟云学术

1.学者识别学者识别

2.学术分析学术分析

3.人才评估人才评估

"同舟云学术"是以全球学者为主线,采集、加工和组织学术论文而形成的新型学术文献查询和分析系统,可以对全球学者进行文献检索和人才价值评估。用户可以通过关注某些学科领域的顶尖人物而持续追踪该领域的学科进展和研究前沿。经过近期的数据扩容,当前同舟云学术共收录了国内外主流学术期刊6万余种,收集的期刊论文及会议论文总量共计约1.5亿篇,并以每天添加12000余篇中外论文的速度递增。我们也可以为用户提供个性化、定制化的学者数据。欢迎来电咨询!咨询电话:010-8811{复制后删除}0370

www.globalauthorid.com

TOP

Copyright © 2019-2024 北京同舟云网络信息技术有限公司
京公网安备11010802033243号  京ICP备18003416号-3