[Colloq] Thesis Defense - Do Web Browsers Obey Best Practices When Validating Digital Certificates? Krati Kiyawat, 11:45 am, December 11th, 366 WVH

Fong, Andy a.fong at neu.edu
Wed Dec 10 14:44:37 EST 2014


Krati Kiyawat
11:45 am, December 11th, 366 WVH

Do Web Browsers Obey Best Practices When Validating Digital Certificates?



The SSL/TLS protocol forms the basis of secure communication on the Internet. One of the key components of this protocol are digital certificates that allow clients to ascertain the identity of the remote party. Validating these certificates is critical before establishing a secure client-server connection. If certificate validation is not performed thoroughly and correctly, clients become vulnerable to a variety of attacks that can compromise the authenticity, integrity, and confidentiality of their communications. However, validation checking is a complicated task that involves local and remote information, and thus may slow down user's connections.



Given that there is no standard that defines how certificates must be validated, browser developers may choose to implement a subset of validation checks rather than obeying security best-practices. In this study, we present an evaluation of the behavior of modern web browsers when presented with different invalid certificates on different platforms. In order to perform the experiments, we set up an extensive test-bed of web-servers and certificates.



Once the testbed was successfully set up and verified, we examined the behavior of Google Chrome and Mozilla Firefox when presented with 26 different kinds of erroneous certificates. During our study, we identified many flaws in the targeted browsers. We observed different behavior of Google Chrome in different platforms, while Firefox exhibited uniform behavior on all the platforms tested. With an exception to Google Chrome on Windows for EV certificates, none of the browser implementation checks for CRLs. We also observed that the mobile versions of the browser are less secure than their desktop versions. Surprisingly, our testing revealed that Internet Explorer performs exhaustive revocation checking, by implemented OCSP and CRL checks as well.



In conclusion, we highly recommend that browser designers implement validation checks similar to Internet Explorer. Also, users who wanted to protect themselves online should prefer desktop versions of the browsers rather than mobile versions for security-critical communications.




Andrew W. Fong
Assistant Director for Graduate Admissions and Enrollment

Northeastern University
College of Computer and Information Science
360 Huntington Avenue
202 West Village H
Boston, MA 02115
617-373-8493
a.fong at neu.edu

Follow us on Twitter - @CCISGrad<https://twitter.com/CCISGrad>
Like us on Facebook - CCIS Graduate School<https://www.facebook.com/CCISGradSchool?ref_type=bookmark>



More information about the Colloq mailing list