Exploring the Root Store Usage in TLS-Based Applications
摘要
Root certificates serve as the foundation for certificate validation in the PKI paradigm. The root store, a collection of root certificates, directly influences the security of TLS connections in applications. A reliable root store reduces the risk of applications being compromised by manipulator-in-the-middle and phishing attacks. In this work, we explore the application’s usage of root stores in TLS from the aspects of root stores, TLS libraries, and applications, to determine whether applications utilize a reliable root store. First, we investigate the provider and local management of six mainstream root stores. Second, we explore the default root stores of four popular TLS libraries, as well as two high-level wrappers across different operating systems. Finally, we implement static analysis for open source projects built upon these four TLS libraries to determine the root stores they use and their locations. Our work demonstrates that the default root stores in TLS libraries (e.g., OpenSSL) may not consistently be reliable root stores across different platforms. Moreover, among open source projects utilizing TLS connections, more than one-third employ user-specific root stores (e.g., a specified file), which exposes them to potential security risks with the adoption of unreliable root stores.