Tracking Certificate Misissuance in the Wild

Deepak Kumar; Zhengping Wang; Matthew Hyder; Joseph Dickinson; Gabrielle Beck; David Adrian; Joshua Mason; Zakir Durumeric; J. Alex Halderman; Michael Bailey

doi:10.1109/SP.2018.00015

Tracking Certificate Misissuance in the Wild

Deepak Kumar, Zhengping Wang, Matthew Hyder, Joseph Dickinson, Gabrielle Beck, David Adrian, Joshua Mason, Zakir Durumeric, J. Alex Halderman, Michael Bailey

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Certificate Authorities (CAs) regularly make mechanical errors when issuing certificates. To quantify these errors, we introduce ZLint, a certificate linter that codifies the policies set forth by the CA/Browser Forum Baseline Requirements and RFC 5280 that can be tested in isolation. We run ZLint on browser-trusted certificates in Censys and systematically analyze how well CAs construct certificates. We find that the number errors has drastically reduced since 2012. In 2017, only 0.02% of certificates have errors. However, this is largely due to a handful of large authorities that consistently issue correct certificates. There remains a long tail of small authorities that regularly issue non-conformant certificates. We further find that issuing certificates with errors is correlated with other types of mismanagement and for large authorities, browser action. Drawing on our analysis, we conclude with a discussion on how the community can best use lint data to identify authorities with worrisome organizational practices and ensure long-term health of the Web PKI.

Original language	English (US)
Title of host publication	Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	785-798
Number of pages	14
ISBN (Electronic)	9781538643525
DOIs	https://doi.org/10.1109/SP.2018.00015
State	Published - Jul 23 2018
Event	39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States Duration: May 21 2018 → May 23 2018

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2018-May
ISSN (Print)	1081-6011

Other

Other	39th IEEE Symposium on Security and Privacy, SP 2018
Country/Territory	United States
City	San Francisco
Period	5/21/18 → 5/23/18

Keywords

Baseline Requirements
Certificates
Compliance
HTTPS
PKI
RFC 5280
TLS

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Software
Computer Networks and Communications

Online availability

10.1109/SP.2018.00015

Library availability

Discover UIUC Full Text

Cite this

Kumar, D., Wang, Z., Hyder, M., Dickinson, J., Beck, G., Adrian, D., Mason, J., Durumeric, Z., Halderman, J. A., & Bailey, M. (2018). Tracking Certificate Misissuance in the Wild. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 (pp. 785-798). [8418638] (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2018-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2018.00015

Tracking Certificate Misissuance in the Wild. / Kumar, Deepak; Wang, Zhengping; Hyder, Matthew et al.
Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 785-798 8418638 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2018-May).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kumar, D, Wang, Z, Hyder, M, Dickinson, J, Beck, G, Adrian, D, Mason, J, Durumeric, Z, Halderman, JA & Bailey, M 2018, Tracking Certificate Misissuance in the Wild. in Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018., 8418638, Proceedings - IEEE Symposium on Security and Privacy, vol. 2018-May, Institute of Electrical and Electronics Engineers Inc., pp. 785-798, 39th IEEE Symposium on Security and Privacy, SP 2018, San Francisco, United States, 5/21/18. https://doi.org/10.1109/SP.2018.00015

@inproceedings{55d8db5e782e4e728f7691fc3becd276,

title = "Tracking Certificate Misissuance in the Wild",

abstract = "Certificate Authorities (CAs) regularly make mechanical errors when issuing certificates. To quantify these errors, we introduce ZLint, a certificate linter that codifies the policies set forth by the CA/Browser Forum Baseline Requirements and RFC 5280 that can be tested in isolation. We run ZLint on browser-trusted certificates in Censys and systematically analyze how well CAs construct certificates. We find that the number errors has drastically reduced since 2012. In 2017, only 0.02% of certificates have errors. However, this is largely due to a handful of large authorities that consistently issue correct certificates. There remains a long tail of small authorities that regularly issue non-conformant certificates. We further find that issuing certificates with errors is correlated with other types of mismanagement and for large authorities, browser action. Drawing on our analysis, we conclude with a discussion on how the community can best use lint data to identify authorities with worrisome organizational practices and ensure long-term health of the Web PKI.",

keywords = "Baseline Requirements, Certificates, Compliance, HTTPS, PKI, RFC 5280, TLS",

author = "Deepak Kumar and Zhengping Wang and Matthew Hyder and Joseph Dickinson and Gabrielle Beck and David Adrian and Joshua Mason and Zakir Durumeric and Halderman, {J. Alex} and Michael Bailey",

note = "Funding Information: The authors thank Jonathan Rudenberg and Rob Stradling for their help and feedback. This work was supported in part by the National Science Foundation under awards CNS 1530915, CNS1518741, CNS1409505, and CNS1518888. Funding Information: The authors thank Jonathan Rudenberg and Rob Stradling for their help and feedback. This work was supported in part by the National Science Foundation under awards CNS 1530915, CNS 1518741, CNS 1409505, and CNS 1518888. Publisher Copyright: {\textcopyright} 2018 IEEE.; 39th IEEE Symposium on Security and Privacy, SP 2018 ; Conference date: 21-05-2018 Through 23-05-2018",

year = "2018",

month = jul,

day = "23",

doi = "10.1109/SP.2018.00015",

language = "English (US)",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "785--798",

booktitle = "Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018",

address = "United States",

}

TY - GEN

T1 - Tracking Certificate Misissuance in the Wild

AU - Kumar, Deepak

AU - Wang, Zhengping

AU - Hyder, Matthew

AU - Dickinson, Joseph

AU - Beck, Gabrielle

AU - Adrian, David

AU - Mason, Joshua

AU - Durumeric, Zakir

AU - Halderman, J. Alex

AU - Bailey, Michael

N1 - Funding Information: The authors thank Jonathan Rudenberg and Rob Stradling for their help and feedback. This work was supported in part by the National Science Foundation under awards CNS 1530915, CNS1518741, CNS1409505, and CNS1518888. Funding Information: The authors thank Jonathan Rudenberg and Rob Stradling for their help and feedback. This work was supported in part by the National Science Foundation under awards CNS 1530915, CNS 1518741, CNS 1409505, and CNS 1518888. Publisher Copyright: © 2018 IEEE.

PY - 2018/7/23

Y1 - 2018/7/23

N2 - Certificate Authorities (CAs) regularly make mechanical errors when issuing certificates. To quantify these errors, we introduce ZLint, a certificate linter that codifies the policies set forth by the CA/Browser Forum Baseline Requirements and RFC 5280 that can be tested in isolation. We run ZLint on browser-trusted certificates in Censys and systematically analyze how well CAs construct certificates. We find that the number errors has drastically reduced since 2012. In 2017, only 0.02% of certificates have errors. However, this is largely due to a handful of large authorities that consistently issue correct certificates. There remains a long tail of small authorities that regularly issue non-conformant certificates. We further find that issuing certificates with errors is correlated with other types of mismanagement and for large authorities, browser action. Drawing on our analysis, we conclude with a discussion on how the community can best use lint data to identify authorities with worrisome organizational practices and ensure long-term health of the Web PKI.

AB - Certificate Authorities (CAs) regularly make mechanical errors when issuing certificates. To quantify these errors, we introduce ZLint, a certificate linter that codifies the policies set forth by the CA/Browser Forum Baseline Requirements and RFC 5280 that can be tested in isolation. We run ZLint on browser-trusted certificates in Censys and systematically analyze how well CAs construct certificates. We find that the number errors has drastically reduced since 2012. In 2017, only 0.02% of certificates have errors. However, this is largely due to a handful of large authorities that consistently issue correct certificates. There remains a long tail of small authorities that regularly issue non-conformant certificates. We further find that issuing certificates with errors is correlated with other types of mismanagement and for large authorities, browser action. Drawing on our analysis, we conclude with a discussion on how the community can best use lint data to identify authorities with worrisome organizational practices and ensure long-term health of the Web PKI.

KW - Baseline Requirements

KW - Certificates

KW - Compliance

KW - HTTPS

KW - PKI

KW - RFC 5280

KW - TLS

UR - http://www.scopus.com/inward/record.url?scp=85051050821&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85051050821&partnerID=8YFLogxK

U2 - 10.1109/SP.2018.00015

DO - 10.1109/SP.2018.00015

M3 - Conference contribution

AN - SCOPUS:85051050821

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 785

EP - 798

BT - Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 39th IEEE Symposium on Security and Privacy, SP 2018

Y2 - 21 May 2018 through 23 May 2018

ER -

Tracking Certificate Misissuance in the Wild

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Cite this