Tracing your roots: Exploring the TLS trust anchor ecosystem

Zane Ma, James Austgen, Joshua Mason, Zakir Durumeric, Michael Bailey

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Secure TLS server authentication depends on reliable trust anchors. The fault intolerant design of today's system - -where a single compromised trust anchor can impersonate nearly all web entities - -necessitates the careful assessment of each trust anchor found in a root store. In this work, we present a first look at the root store ecosystem that underlies the accelerating deployment of TLS. Our broad collection of TLS user agents, libraries, and operating systems reveals a surprisingly condensed root store ecosystem, with nearly all user agents ultimately deriving their roots from one of three root programs: Apple, Microsoft, and NSS. This inverted pyramid structure further magnifies the importance of judicious root store management by these foundational root programs. Our analysis of root store management presents evidence of NSS's relative operational agility, transparency, and rigorous inclusion policies. Unsurprisingly, all derivative root stores in our dataset (e.g., Linuxes, Android, NodeJS) draw their roots from NSS. Despite this solid footing, derivative root stores display lax update routines and often customize their root stores in questionable ways. By scrutinizing these practices, we highlight two fundamental obstacles to existing NSS-derived root stores: rigid on-or-off trust and multi-purpose root stores. Taken together, our study highlights the concentration of root store trust in TLS server authentication, exposes questionable root management practices, and proposes improvements for future TLS root stores.

Original languageEnglish (US)
Title of host publicationIMC 2021 - Proceedings of the 2021 ACM Internet Measurement Conference
PublisherAssociation for Computing Machinery
Number of pages16
ISBN (Electronic)9781450391290
StatePublished - Nov 2 2021
Event21st ACM Internet Measurement Conference, IMC 2021 - Virtual, Online, United States
Duration: Nov 2 2021Nov 4 2021

Publication series

NameProceedings of the ACM SIGCOMM Internet Measurement Conference, IMC


Conference21st ACM Internet Measurement Conference, IMC 2021
Country/TerritoryUnited States
CityVirtual, Online

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications


Dive into the research topics of 'Tracing your roots: Exploring the TLS trust anchor ecosystem'. Together they form a unique fingerprint.

Cite this