Researchers shed light on hidden root CAs

How widespread is the use of hidden root CAs and certificates signed by them? To answer that and other questions, a group of researchers from several Chinese and U.S. universities and Qihoo 360, the company developing the 360 Secure Browser, have collected 5 months worth of certificate data from volunteer users and analyzed certificate chains and verification statuses in web visits.

They discovered:

• Over 1.19 million hidden root certificates
• 5,000 or so organizations that hold hidden root certificates (including fake root CAs impersonating legitimate, trusted ones like Verisign, Certum, and GlobalSign)
• Many flaws in the implementation of hidden root CAs and certificates

The Web PKI trust model

Encrypted communication and authentication between web servers and clients depends on HTTPS, which is powered by the Transport Layer Security (TLS) protocol, and digital TLS certificates, respectively.

“The issuance, management and revocation of certificates heavily rely on a set of entities, systems and policies, which are jointly referred to as the Web Public Key Infrastructure (PKI). In the Web PKI trust model, digital certificates are typically issued to websites by organizations called Certificate Authorities (CAs). A small group of CAs (termed as root CAs) serve as trust anchors in the Web PKI ecosystem, such that certificates signed by them and subordinate organizations can pass verification,” the researchers explained.

CAs use their (self-signed) root certificate to sign intermediate/subordinate certificates, which inherit its trustworthiness. Intermediate certificates are used to sign end-entity certificates (aka leaf certificates) and also inherit their trustworthiness. This creates a so-called chain of trust.

Popular web browsers depend on public lists of trusted root CAs, local copies of which are usually pre-installed in operating systems. For better or worse, these local root CA stores can be modified: legitimate software (and, unfortunately, malware) can inject self-built root certificates into it to allow decryption of encrypted traffic; government agencies can do the same to monitor web users’ online behaviors; and enterprises can inject root certificates to be used just within the company network by setting up their own internal/private CA.

Key findings

“In this study, we term root CAs that are not trusted by public root programs as ‘hidden’ root CAs, because they are absent from the lists and are not publicly visible. Particularly, we focus on hidden root certificates that have been imported into local root stores (i.e., have gained trust from web clients),” they shared.

They found a widespread use of hidden root CAs, threatening the security of 0.54% of all web visits performed during the observed period.

They used an algorithm to group hidden root certificates, and identified 5,005 certificate groups. While most of those include just one certificate, some account for several hundreds of thousands. For example, the largest group contains 254,412 root certificates that belong to Certum Trusted NetWork CA 2, which impersonates the authentic Certum CA.

“Fake CAs which impersonate large trusted CAs with good reputation to evade detection, are becoming emerging security threats,” the researchers noted. “By further exploring trust relationships between hidden CA groups and affected clients, we identified fake CA groups that may come from the same malware family, and unknown groups potentially being associated with fake CAs.”

They also found that most of these hidden root certificates have one or many implementation flaws, e.g., shared public keys between root certificates, the use of wildcards (which can be misused), extremely long validity period (60 or even 100 years) and lack certificate revocation and incident handling, cryptographic flaws, and so on.

“Hidden root CAs of malware are built to intercept secure connections, thus their adoption of weak keys and insecure algorithms should not be considered a problem,” the researchers pointed out, but self-built root CAs of enterprise networks and anti-virus software should comply with security requirements to prevent themselves from being compromised.

Finally, the researchers have offered a number of recommendations for developers of operating systems, browsers and legitimate software to minimize the risks associated with hidden root certificates.