Quirin Scheitle
Oliver Gasser
Ralph Holz
Jens Hiller
Roland van Rijswijk-Deij
Dave Choffnes
ABSTRACT
Web security has been and remains a highly relevant field of security research, which has seen many additional features standardiazed at IETF over the past years.
This talk covers two papers, which in sum provide a conprehensive survey of quantity and quality of adoption of such new security extensions by HTTPS web servers.
The protocols covered are Certificate Transparency (CT) at the PKI/certificate level, HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP) at the HTTP level, Downgrade-Preventing Signaling Cipyher Suite Value (SCSV) at the TLS level, and Certification Authority Authorization (CAA) and TLSA record types. For all these security extensions, we conduct extensive active scans from 2 continents, using IPv4 and IPv6, as well as passive observations from 3 continents. We extensively analyze our results, and discuss adoption of these security extensions by deployment risk, deployment effort, and their relative age, finding low-risk, low-effort extensions deployed the most wide-spread. We consider this a lesson learned for future standardization.
In a subsequent deep-dive in the second paper, we exhaustively analyze the effectiveness of CAA after its effectiveness on Sep 8, 2017. We assess quality and quantity of CAA adoption by servers through holistic active scans, deployment by DNS operators through test domains, and conduct an extensive issuance experiment to scrutinize the rigor of implementation by Certification Authorities (CAs).
Based on [1] and [2].
[1] Johanna Amann, Oliver Gasser, Quirin Scheitle*, Lexi Brent, Georg Carle, and Ralph Holz. 2017. Mission accomplished?: HTTPS security after diginotar. In Proceedings of the 2017 Internet Measurement Conference (IMC '17). ACM, New York, NY, USA, 325--340. DOI: https://doi.org/10.1145/3131365.31314
[2] Quirin Scheitle, Taejoong Chung, Jens Hiller, Oliver Gasser, Johannes Naab, Roland van Rijswijk-Deij, Oliver Hohlfeld, Ralph Holz, Dave Choffnes, Alan Mislove, and Georg Carle. 2018. A First Look at Certification Authority Authorization (CAA). SIGCOMM Comput. Commun. Rev. 48, 2 (May 2018), 10--23. DOI: https://doi.org/10.1145/3213232.3213235
Index Terms
- Measuring Adoption of Security Additions to the HTTPS Ecosystem
Recommendations
Analysis of the HTTPS certificate ecosystem
IMC '13: Proceedings of the 2013 conference on Internet measurement conferenceWe report the results of a large-scale measurement study of the HTTPS certificate ecosystem---the public-key infrastructure that underlies nearly all secure web communications. Using data collected by performing 110 Internet-wide scans over 14 months, ...
Mission accomplished?: HTTPS security after diginotar
IMC '17: Proceedings of the 2017 Internet Measurement ConferenceDriven by CA compromises and the risk of man-in-the-middle attacks, new security features have been added to TLS, HTTPS, and the web PKI over the past five years. These include Certificate Transparency (CT), for making the CA system auditable; HSTS and ...
The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceThe SSL and TLS infrastructure used in important protocols like HTTPs and IMAPs is built on an X.509 public-key infrastructure (PKI). X.509 certificates are thus used to authenticate services like online banking, shopping, e-mail, etc. However, it ...
Comments