The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

Scheitle, Quirin; Gasser, Oliver; Nolte, Theodor; Amann, Johanna; Brent, Lexi; Carle, Georg; Holz, Ralph; Schmidt, Thomas C.; Wählisch, Matthias

doi:10.1145/3278532.3278562

Cited by 46 publications

(26 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…So Let's Encrypt can be considered equally popular in the DoT ecosystem, despite issuing significantly fewer DoT certificates (13.8%). For HTTPS, Let's Encrypt remains the dominant certificate issuer, which aligns with previous literature [34], [2], whereas GlobalSign has only issued 1.3% of the HTTPS certificates in our dataset.…”

Section: Certificate Issuerssupporting

confidence: 89%

Comparative Analysis of DoT and HTTPS Certificate Ecosystems

Jahromi¹,

Abdou²

2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

Systemd-resolved", among others, have implemented DoT stub-resolvers [16]. As a result, DoT queries have increased over the Internet since 2018 [27]. Similar to securing web (HTTPS) and email (S/MIME), DoT in the Internet relies on the Internet's Public Key Infrastructure (PKI) and associated Certification Authorities (CAs) for signing and delivering resolvers' standard X.509 certificates.On security, we investigate whether DoT would be susceptible to classic (or historic) PKI shortcomings, such as invalid/self-signed certificates, weak cryptographic parameters, or fraudulent certificates issued by compromised CAs. Over time, browsers enhanced HTTPS security by stringent certificate validation and indispensable demand of security features, like the placement of certificates in Certificate Transparency (CT) logs [38], [6]; CAs have accordingly been steppingup their issuance standards. It is unclear how many of the browser-implemented reinforcements for HTTPS are adopted in DoT, and how the relatively lax security in DoT affects issued certificates. For example, successful authentication [4] and encryption are unnecessary in DoT depending on the client's configured usage profile (see opportunistic mode in RFC 7858 [42]).We present results upon comparing a random sample of DoT and HTTPS certificates collected from Rapid7 [32]. Particularly, this paper contributes results upon comparing DoT and HTTPS certificates for the following aspects: Distribution and characteristics of certificate issuers (Sec. IV). Certificate parameters, including validity windows and cipher-suites (Sec. V). Proportion and distribution of certificates in CT-logs (Sec. VI).Our results highlight non-major differences between both ecosystems, including differences in: the dominant CA, certificate validity, and cryptographic properties. The proportion of invalid certificates appears almost similar in both ecosystems, likewise the expiry windows and cryptographic functions. We also found almost equivalent rates of CT-log inclusion in both ecosystems. These results suggest that so far, the deployment and usage of DoT certificates in practice appears promising, and not significantly affected by the lack of strict security checks in sub-resolvers.

show abstract

Section: Certificate Issuerssupporting

confidence: 89%

Comparative Analysis of DoT and HTTPS Certificate Ecosystems

Jahromi¹,

Abdou²

2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

show abstract

“…So Let's Encrypt can be considered equally popular in the DoT ecosystem, despite issuing significantly fewer DoT certificates (13.8%). For HTTPS, Let's Encrypt remains the dominant certificate issuer, which aligns with previous literature [90,1], whereas GlobalSign has only issued 1.3% of the HTTPS certificates in our dataset.…”

Section: Certificate Issuerssupporting

confidence: 90%

Survey And Evaluation of Secure-DNS Alternatives Through Passive Measurements

jahromi¹

View full text Add to dashboard Cite

As security was not among the original DNS design goals, over ten secure-DNS schemes have been proposed to improve security and privacy during the name resolution process.One of the schemes is DNS-over-TLS (DoT), which relies on the Internet's PKI for establishing trust in recursive resolvers. The security research community has studied and improved security shortcomings in the web certificate ecosystem. DoT's certificates, on the other hand, have not been investigated comprehensively. This thesis analyzes the certificate ecosystem of DoT in comparison to HTTPS. The results are so far promising, as they show that DoT appears to have benefited from the PKI security advancements that were designed for HTTPS. The thesis then surveys secure-DNS schemes, and presents an evaluation framework to assess their security, availability, privacy, and anonymity benefits. Our evaluation illustrates that none of the DNS schemes secures the complete path of the domain name resolution. All rated schemes provide only partial security benefits in specific domain name resolution stages. The results shed light on the challenges of designing a comprehensive and widely-deployable secure-DNS scheme to secure the complete name resolution path.However, as some schemes can be combined, their resultant benefits can address individual shortcomings.

show abstract

“…Certificate Transparency logs have the most complete coverage of issued TLS certificates [92]. Recent browser policies that enforce logging further increase uptake [75]. d) Eight WHOIS features capture the registration cycle of a domain as well as registrant details.…”

Section: Summary Of Feature Setsmentioning

confidence: 99%