TY - GEN
T1 - What's in a name? Exploring CA certificate control
AU - Ma, Zane
AU - Mason, Joshua
AU - Antonakakis, Manos
AU - Durumeric, Zakir
AU - Bailey, Michael
N1 - Funding Information:
The authors thank Ryan Sleevi and the anonymous reviewers for providing insightful feedback on various parts of this work. This work was supported in part by the Yunni & Maxine Pao Memorial Fellowship and a gift from Google, Inc.
Publisher Copyright:
© 2021 by The USENIX Association. All rights reserved.
PY - 2021
Y1 - 2021
N2 - TLS clients rely on a supporting PKI in which certificate authorities (CAs)-trusted organizations-validate and cryptographically attest to the identities of web servers. A client's confidence that it is connecting to the right server depends entirely on the set of CAs that it trusts. However, as we demonstrate in this work, the identity specified in CA certificates is frequently inaccurate due to lax naming requirements, ownership changes, and long-lived certificates. This not only muddles client selection of trusted CAs, but also prevents PKI operators and researchers from correctly attributing CA certificate issues to CA organizations. To help Web PKI participants understand the organizations that control each CA certificate, we develop Fides, a system that models and clusters CA operational behavior in order to detect CA certificates under shared operational control. We label the clusters that Fides uncovers, and build a new database of CA ownership that corrects the CA operator for 241 CA certificates, and expands coverage to 651 new CA certificates, leading to a more complete picture of CA certificate control.
AB - TLS clients rely on a supporting PKI in which certificate authorities (CAs)-trusted organizations-validate and cryptographically attest to the identities of web servers. A client's confidence that it is connecting to the right server depends entirely on the set of CAs that it trusts. However, as we demonstrate in this work, the identity specified in CA certificates is frequently inaccurate due to lax naming requirements, ownership changes, and long-lived certificates. This not only muddles client selection of trusted CAs, but also prevents PKI operators and researchers from correctly attributing CA certificate issues to CA organizations. To help Web PKI participants understand the organizations that control each CA certificate, we develop Fides, a system that models and clusters CA operational behavior in order to detect CA certificates under shared operational control. We label the clusters that Fides uncovers, and build a new database of CA ownership that corrects the CA operator for 241 CA certificates, and expands coverage to 651 new CA certificates, leading to a more complete picture of CA certificate control.
UR - http://www.scopus.com/inward/record.url?scp=85114469881&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85114469881&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85114469881
T3 - Proceedings of the 30th USENIX Security Symposium
SP - 4383
EP - 4400
BT - Proceedings of the 30th USENIX Security Symposium
PB - USENIX Association
T2 - 30th USENIX Security Symposium, USENIX Security 2021
Y2 - 11 August 2021 through 13 August 2021
ER -