Tracking Certificate Misissuance in the Wild

Deepak Kumar, Zhengping Wang, Matthew Hyder, Joseph Dickinson, Gabrielle Beck, David Adrian, Joshua Mason, Zakir Durumeric, J. Alex Halderman, Michael Bailey

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Certificate Authorities (CAs) regularly make mechanical errors when issuing certificates. To quantify these errors, we introduce ZLint, a certificate linter that codifies the policies set forth by the CA/Browser Forum Baseline Requirements and RFC 5280 that can be tested in isolation. We run ZLint on browser-trusted certificates in Censys and systematically analyze how well CAs construct certificates. We find that the number errors has drastically reduced since 2012. In 2017, only 0.02% of certificates have errors. However, this is largely due to a handful of large authorities that consistently issue correct certificates. There remains a long tail of small authorities that regularly issue non-conformant certificates. We further find that issuing certificates with errors is correlated with other types of mismanagement and for large authorities, browser action. Drawing on our analysis, we conclude with a discussion on how the community can best use lint data to identify authorities with worrisome organizational practices and ensure long-term health of the Web PKI.

Original languageEnglish (US)
Title of host publicationProceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages785-798
Number of pages14
ISBN (Electronic)9781538643525
DOIs
StatePublished - Jul 23 2018
Event39th IEEE Symposium on Security and Privacy, SP 2018 - San Francisco, United States
Duration: May 21 2018May 23 2018

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2018-May
ISSN (Print)1081-6011

Other

Other39th IEEE Symposium on Security and Privacy, SP 2018
CountryUnited States
CitySan Francisco
Period5/21/185/23/18

    Fingerprint

Keywords

  • Baseline Requirements
  • Certificates
  • Compliance
  • HTTPS
  • PKI
  • RFC 5280
  • TLS

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Cite this

Kumar, D., Wang, Z., Hyder, M., Dickinson, J., Beck, G., Adrian, D., Mason, J., Durumeric, Z., Halderman, J. A., & Bailey, M. (2018). Tracking Certificate Misissuance in the Wild. In Proceedings - 2018 IEEE Symposium on Security and Privacy, SP 2018 (pp. 785-798). [8418638] (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2018-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2018.00015