Analysis of the HTTPS certificate ecosystem

Zakir Durumeric; James Kasten; Michael Bailey; J. Alex Halderman

doi:10.1145/2504730.2504755

Analysis of the HTTPS certificate ecosystem

Zakir Durumeric, James Kasten, Michael Bailey, J. Alex Halderman

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

We report the results of a large-scale measurement study of the HTTPS certificate ecosystem - the public-key infrastructure that underlies nearly all secure web communications. Using data collected by performing 110 Internet-wide scans over 14 months, we gain detailed and temporally fine-grained visibility into this otherwise opaque area of security-critical infrastructure. We investigate the trust relationships among root authorities, intermediate authorities, and the leaf certificates used by web servers, ultimately identifying and classifying more than 1,800 entities that are able to issue certificates vouching for the identity of any website. We uncover practices that may put the security of the ecosystem at risk, and we identify frequent configuration problems that lead to user-facing errors and potential vulnerabilities. We conclude with lessons and recommendations to ensure the long-term health and security of the certificate ecosystem.

Original language	English (US)
Title of host publication	IMC 2013 - Proceedings of the 13th ACM Internet Measurement Conference
Pages	291-303
Number of pages	13
DOIs	https://doi.org/10.1145/2504730.2504755
State	Published - 2013
Externally published	Yes
Event	13th ACM Internet Measurement Conference, IMC 2013 - Barcelona, Spain Duration: Oct 23 2013 → Oct 25 2013

Publication series

Name	Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Other

Other	13th ACM Internet Measurement Conference, IMC 2013
Country/Territory	Spain
City	Barcelona
Period	10/23/13 → 10/25/13

Keywords

Certificates
HTTPS
Internet-wide scanning
Measurement
Public-key infrastructure
SSL
Security
TLS
X.509

ASJC Scopus subject areas

Software
Computer Networks and Communications

Online availability

10.1145/2504730.2504755

Library availability

Discover UIUC Full Text

Cite this

Durumeric, Z, Kasten, J, Bailey, M & Halderman, JA 2013, Analysis of the HTTPS certificate ecosystem. in IMC 2013 - Proceedings of the 13th ACM Internet Measurement Conference. Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, pp. 291-303, 13th ACM Internet Measurement Conference, IMC 2013, Barcelona, Spain, 10/23/13. https://doi.org/10.1145/2504730.2504755

@inproceedings{a8adbebfa7f44755b3f81812fb067c65,

title = "Analysis of the HTTPS certificate ecosystem",

abstract = "We report the results of a large-scale measurement study of the HTTPS certificate ecosystem - the public-key infrastructure that underlies nearly all secure web communications. Using data collected by performing 110 Internet-wide scans over 14 months, we gain detailed and temporally fine-grained visibility into this otherwise opaque area of security-critical infrastructure. We investigate the trust relationships among root authorities, intermediate authorities, and the leaf certificates used by web servers, ultimately identifying and classifying more than 1,800 entities that are able to issue certificates vouching for the identity of any website. We uncover practices that may put the security of the ecosystem at risk, and we identify frequent configuration problems that lead to user-facing errors and potential vulnerabilities. We conclude with lessons and recommendations to ensure the long-term health and security of the certificate ecosystem.",

keywords = "Certificates, HTTPS, Internet-wide scanning, Measurement, Public-key infrastructure, SSL, Security, TLS, X.509",

author = "Zakir Durumeric and James Kasten and Michael Bailey and Halderman, {J. Alex}",

year = "2013",

doi = "10.1145/2504730.2504755",

language = "English (US)",

isbn = "9781450319539",

series = "Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC",

pages = "291--303",

booktitle = "IMC 2013 - Proceedings of the 13th ACM Internet Measurement Conference",

}

TY - GEN

T1 - Analysis of the HTTPS certificate ecosystem

AU - Durumeric, Zakir

AU - Kasten, James

AU - Bailey, Michael

AU - Halderman, J. Alex

PY - 2013

Y1 - 2013

N2 - We report the results of a large-scale measurement study of the HTTPS certificate ecosystem - the public-key infrastructure that underlies nearly all secure web communications. Using data collected by performing 110 Internet-wide scans over 14 months, we gain detailed and temporally fine-grained visibility into this otherwise opaque area of security-critical infrastructure. We investigate the trust relationships among root authorities, intermediate authorities, and the leaf certificates used by web servers, ultimately identifying and classifying more than 1,800 entities that are able to issue certificates vouching for the identity of any website. We uncover practices that may put the security of the ecosystem at risk, and we identify frequent configuration problems that lead to user-facing errors and potential vulnerabilities. We conclude with lessons and recommendations to ensure the long-term health and security of the certificate ecosystem.

AB - We report the results of a large-scale measurement study of the HTTPS certificate ecosystem - the public-key infrastructure that underlies nearly all secure web communications. Using data collected by performing 110 Internet-wide scans over 14 months, we gain detailed and temporally fine-grained visibility into this otherwise opaque area of security-critical infrastructure. We investigate the trust relationships among root authorities, intermediate authorities, and the leaf certificates used by web servers, ultimately identifying and classifying more than 1,800 entities that are able to issue certificates vouching for the identity of any website. We uncover practices that may put the security of the ecosystem at risk, and we identify frequent configuration problems that lead to user-facing errors and potential vulnerabilities. We conclude with lessons and recommendations to ensure the long-term health and security of the certificate ecosystem.

KW - Certificates

KW - HTTPS

KW - Internet-wide scanning

KW - Measurement

KW - Public-key infrastructure

KW - SSL

KW - Security

KW - TLS

KW - X.509

UR - http://www.scopus.com/inward/record.url?scp=84890078634&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84890078634&partnerID=8YFLogxK

U2 - 10.1145/2504730.2504755

DO - 10.1145/2504730.2504755

M3 - Conference contribution

AN - SCOPUS:84890078634

SN - 9781450319539

T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

SP - 291

EP - 303

BT - IMC 2013 - Proceedings of the 13th ACM Internet Measurement Conference

T2 - 13th ACM Internet Measurement Conference, IMC 2013

Y2 - 23 October 2013 through 25 October 2013

ER -

Analysis of the HTTPS certificate ecosystem

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this