Scanning .nz for HTTPS Support

Sebastian Castro -- Chief Scientist @ InternetNZ

Registrar Conference -- May 2018

Our mandate: understand the .nz namespace

To understand we collect and analyze data

DNS configuration and errors

DNS traffic data

Web content

HTTPS Support

Data Collection

Get the list of active .nz domains

Verify there is an IP address for the website (DNS preflight check)

Scan for HTTPS service and options for the domain using sslyze

Collate and summarize data and make it public

Initial bi-monthly, now monthly.

HTTPS Support

Four states

Broken DNS -- The domain failed the pre-flight DNS check

No HTTPS Support -- No HTTPS server answered

HTTPS Support -- A HTTPS server answered the request

Invalid Certificate -- A HTTPS server answered, but the certificate couldn't be validated

In [312]:
plot_https_support()

Main results

Around 14% of the domains fail the pre-flight check

Increases to 17% if both error categories are combined

HTTPS support grew from 40% to nearly 47%

In [319]:
plot_combined_errors()

Across registrars, is the distribution of errors and support even?

In [328]:
plot_reg_https_use_distribution()
In [340]:
plot_age_group_https_support()

Protocol Support

An active HTTPS server can support multiple secure protocols

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Protocol Release Date Deprecation Date
SSL v2.0 Feb 1995 2011
SSL v3.0 1996 June 2015
TLS v1.0 Jan 1999
TLS v1.1 Apr 2006
TLS v1.2 Aug 2008
TLS v1.3 IETF draft
In [343]:
plot_proto_support()

Let's simplify the view

Group protocol support by

Good -- Only supports TLS 1.1 or above

Warning -- Still supports TLS 1.0

Bad -- Supports SSL v2.0 or SSL v3.0

In [347]:
plot_overall_proto_support()

Adoption of more secure protocol increases

But we still have 7% of HTTPS-enabled .nz sites using vulnerable protocols.

What about the distribution across registrars

In [353]:
plot_reg_https_support_distribution()

Certificate Public Keys

  • SSL and TLS rely on certificates issued by Certificate Authorities to authenticate the website
  • The certificate contains a cryptographic key to encrypt traffic
  • Cryptographic keys can be RSA, DSA or ECC
  • Cryptographic keys size is measured in bits. Key size depends on the algorithm.
In [356]:
plot_cert_pub_key()

Cryptographic keys can be weak, acceptable or strong

Type Criteria
Weak RSA keys with size under 2048-bits
Acceptable RSA keys between 2048 and 3072 bits
Strong RSA keys of at least 3072 bits and ECC keys of size 256 or more
In [359]:
plot_key_strength()

Protocol features

Test for optional protocol features

  • Session resumption: Faster connection re-establishment when connection is dropped or when talking to a server farm
  • Server renegotiation: Establish a new SSL connection with different parameters over an existing SSL connection
  • SSL/TLS compression: Not recommended feature, with low support from servers and potential for security vulnerabilities like CRIME and BREACH
  • HSTS: HTTP Strict Transport Security, protection against protocol downgrade attacks.
  • Client renegotiation: Signals the server allows client-side renegotiation. Considered a potential to attack, as a set of client can exhaust the server resources.
In [367]:
plot_protocol_features()

Certificate Authorities

  • Certificates are issues by Certificate Authorities
  • Browsers are configured to trust a set of CAs
  • It's relatively simple to set up your own CA
  • Trust within the browsers needs to be setup as well
  • There are 841 unique CA identified in the data, pick the largest for analysis
In [414]:
plot_ca()

There is a lot of variation across the market, let's take a closer look

In [416]:
plot_ca_diff()

Main observations in the CA market

Consistent grow of Let's Encrypt, around 2% per month.

Gains for The UserTrust Network and Comodo.

Important losses for GeoTrust Inc and GoDaddy

In [418]:
plot_age_ca()

What's the relation between DNS/HTTPS and domain drops?

Identify the state in April 2017 and again in April 2018

If a domain only exists in 2018, is marked as "Not Registered"

If a domain no longer exists in 2018, is marked as "Deleted"

In [411]:
domain_state_change_plot()

We found

Most domains stay the same

Approximately 16% of each undesirable states (Broken DNS, Invalid Cert, No HTTPS) end up deleted

New registrations go into HTTPS or no HTTPS in the same proportion.

Conclusions

HTTPS-enabled sites are increasing -- Good news!

We carry a constant 17% of broken sites.

Deprecated secure protocols being removed, but not fast enough

The use of strong cryptography is on the rise

Let's Encrypt came to change the market