Tracking Certificate Misissuance in the Wild

Kumar, Deepak; Wang, Zhengping; Hyder, Matthew; Dickinson, Joseph; Beck, Gabrielle; Adrian, David; Mason, Joshua; Durumeric, Zakir; Halderman, J. Alex; Bailey, Michael

doi:10.1109/sp.2018.00015

Cited by 58 publications

(30 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our work confirms that corner-cases in CA software can cause invalid CT certificates. Most recently, the performance impact of CT on HTTPS [28] and the deployment of sub-par certificates sourced from CT logs [14,21] was measured. While the privacy implications and traceability of TLS certificates has been studied before [4,6,42], to the best of our knowledge, there is no detailed analysis on security and privacy aspects due to the rise of CT.…”

Section: Related Workmentioning

confidence: 99%

The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

Scheitle¹,

Gasser²,

Nolte

et al. 2018

Proceedings of the Internet Measurement Conference 2018

View full text Add to dashboard Cite

In this paper, we analyze the evolution of Certificate Transparency (CT) over time and explore the implications of exposing certificate DNS names from the perspective of security and privacy. We find that certificates in CT logs have seen exponential growth. Website support for CT has also constantly increased, with now 33% of established connections supporting CT. With the increasing deployment of CT, there are also concerns of information leakage due to all certificates being visible in CT logs. To understand this threat, we introduce a CT honeypot and show that data from CT logs is being used to identify targets for scanning campaigns only minutes after certificate issuance. We present and evaluate a methodology to learn and validate new subdomains from the vast number of domains extracted from CT logged certificates.

show abstract

Section: Related Workmentioning

confidence: 99%

The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

Scheitle¹,

Gasser²,

Nolte

et al. 2018

Proceedings of the Internet Measurement Conference 2018

View full text Add to dashboard Cite

show abstract

“…A different aspect directs to another interesting hypothesis concerning CAs and their individual compliance with prevalent regulations presented by Kumar et al [40]. The authors provide a comprehensive overview of CAs listing their respective certificates' error rates.…”

Section: Hypothesesmentioning

confidence: 93%

“…There are approaches to assess certificates by making use of information regarding the issuing CA such as results of a distributed reputation mechanism [20]; propositional logic and probability theory using so-called trustworthiness terms [61]; as well as certificate policies [67]. Kumar et al [40] monitored certificates issued by a wide range of CAs and analyzed their compliance with RFC 5280, the CA/Browser Forum's Baseline Requirements (BRs), and community best practices. Fadai et al [30] analyze the issuing institutions as well as the countries of origin of root certificates shipped with the currently most popular operating systems and browsers and correlate these findings against different indices indicating the CAs' origin states' constitutionality [3,31,55,66].…”

Section: Related Workmentioning

confidence: 99%

MERCAT: A Metric for the Evaluation and Reconsideration of Certificate Authority Trustworthiness

Heinl

Giehl

Wiedermann

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop

View full text Add to dashboard Cite

Public key infrastructures (PKIs) build the foundation for secure communication of a vast majority of cloud services. In the recent past, there has been a series of security incidents leading to increasing concern regarding the trust model currently employed by PKIs. One of the key criticisms is the architecture's implicit assumption that certificate authorities (CAs) are trustworthy a priori. This work proposes a holistic metric to compensate this assumption by a differentiating assessment of a CA's individual trustworthiness based on objective criteria. The metric utilizes a wide range of technical and non-technical factors derived from existing policies, technical guidelines, and research. It consists of self-contained submetrics allowing the simple extension of the existing set of criteria. The focus is thereby on aspects which can be assessed by employing practically applicable methods of independent data collection. The metric is meant to help organizations, individuals, and service providers deciding which CAs to trust or distrust. For this, the modularized submetrics are clustered into coherent submetric groups covering a CA's different properties and responsibilities. By applying individually chosen weightings to these submetric groups, the metric's outcomes can be adapted to tailored protection requirements according to an exemplifying attacker model.

show abstract

“…To reduce the chances that bugs in Boulder could lead to misissuance or other problems, new versions are tested in a public staging environment prior to entering production. Boulder also applies ZLint [58] to perform automated conformance tests on every certificate, and any ZLint notices, warnings, or errors block issuance.…”

Section: Security Principlesmentioning

confidence: 99%

Let's Encrypt

Aas¹,

Barnes

Case

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Let's Encrypt is a free, open, and automated HTTPS certificate authority (CA) created to advance HTTPS adoption to the entire Web. Since its launch in late 2015, Let's Encrypt has grown to become the world's largest HTTPS CA, accounting for more currently valid certificates than all other browser-trusted CAs combined. By January 2019, it had issued over 538 million certificates for 223 million domain names. We describe how we built Let's Encrypt, including the architecture of the CA software system (Boulder) and the structure of the organization that operates it (ISRG), and we discuss lessons learned from the experience. We also describe the design of ACME, the IETF-standard protocol we created to automate CA-server interactions and certificate issuance, and survey the diverse ecosystem of ACME clients, including Certbot, a software agent we created to automate HTTPS deployment. Finally, we measure Let's Encrypt's impact on the Web and the CA ecosystem. We hope that the success of Let's Encrypt can provide a model for further enhancements to the Web PKI and for future Internet security infrastructure. CCS CONCEPTS • Networks → Web protocol security; • Security and privacy → Security services; Usability in security and privacy.

show abstract

Tracking Certificate Misissuance in the Wild

Cited by 58 publications

References 20 publications

The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

MERCAT: A Metric for the Evaluation and Reconsideration of Certificate Authority Trustworthiness

Let's Encrypt

Contact Info

Product

Resources

About