A First Look at Certification Authority Authorization (CAA)

Scheitle, Quirin; Chung, Tae-Sun; Hiller, Jens; Gasser, Oliver; Naab, Johannes; Rijswijk-Deij, Roland van; Hohlfeld, Oliver; Holz, Ralph; Choffnes, Dave; Mislove, Alan; Carle, Georg

doi:10.1145/3213232.3213235

Cited by 31 publications

(15 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are also results on the submetric level of other SMGs which are worth discussing. The CAA Submetric's results, for example, confirm an observation already reported by Scheitle et al [60]. Although consistently rejecting CSRs with a conflicting issue property tag in the CAA RR, none of the assessed CAs makes use of iodef notifications in the case of rejection.…”

Section: Hypothesessupporting

confidence: 85%

MERCAT: A Metric for the Evaluation and Reconsideration of Certificate Authority Trustworthiness

Heinl

Giehl

Wiedermann

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop

View full text Add to dashboard Cite

Public key infrastructures (PKIs) build the foundation for secure communication of a vast majority of cloud services. In the recent past, there has been a series of security incidents leading to increasing concern regarding the trust model currently employed by PKIs. One of the key criticisms is the architecture's implicit assumption that certificate authorities (CAs) are trustworthy a priori. This work proposes a holistic metric to compensate this assumption by a differentiating assessment of a CA's individual trustworthiness based on objective criteria. The metric utilizes a wide range of technical and non-technical factors derived from existing policies, technical guidelines, and research. It consists of self-contained submetrics allowing the simple extension of the existing set of criteria. The focus is thereby on aspects which can be assessed by employing practically applicable methods of independent data collection. The metric is meant to help organizations, individuals, and service providers deciding which CAs to trust or distrust. For this, the modularized submetrics are clustered into coherent submetric groups covering a CA's different properties and responsibilities. By applying individually chosen weightings to these submetric groups, the metric's outcomes can be adapted to tailored protection requirements according to an exemplifying attacker model.

show abstract

Section: Hypothesessupporting

confidence: 85%

MERCAT: A Metric for the Evaluation and Reconsideration of Certificate Authority Trustworthiness

Heinl

Giehl

Wiedermann

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop

View full text Add to dashboard Cite

show abstract

“…Scheitle et al [35] surveyed the adoption of the CAA record and compliance to it. Compared to our work they examine the CAA mechanism only, but in greater depth as they uncover certificate misissuance with deliberately broken CAA configurations.…”

Section: Related Workmentioning

confidence: 99%

Domain Impersonation is Feasible: A Study of CA Domain Validation Vulnerabilities

Schwittmann

Wander

Weis

2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Web security relies on the assumption that certificate authorities (CAs) issue certificates to rightful domain owners only. However, we show that CAs expose vulnerabilities which allow an attacker to obtain certificates from major CAs for domains he does not own. We present a measurement method that allows us to check CAs for a list of technical weaknesses during their domain validation procedures. Our results show that all tested CAs are vulnerable in one or even multiple ways, because they rely on a combination of insecure protocols like DNS and HTTP and do not implement existing secure alternatives like DNSSEC and TLS. We have validated our methodology experimentally and disclosed these vulnerabilities to CAs. Based upon our findings we provide recommendations to domain owners and CAs to close this fundamental weakness in web security.

show abstract

“…CAA Adoption: Exemplary for other record types, we also investigate the adoption of Certification Authority Authorization (CAA) records in top lists and the general population. CAA is a rather new record type, and has become mandatory for CAs to check before certificate issuance, cf., [122,128]. We measure CAA adoption as described in [122], i.e., the count of base domains with an issue or issuewild set.…”

Section: Alexamentioning

confidence: 99%

“…CAA is a rather new record type, and has become mandatory for CAs to check before certificate issuance, cf., [122,128]. We measure CAA adoption as described in [122], i.e., the count of base domains with an issue or issuewild set. Similar to IPv6 adoption, we find CAA adoption among top lists (1-2%) to significantly exceed adoption among the general population at 0.1%.…”

Section: Alexamentioning

confidence: 99%

A Long Way to the Top

Scheitle

Hohlfeld

Gamba

et al. 2018

Proceedings of the Internet Measurement Conference 2018

Self Cite

View full text Add to dashboard Cite

A broad range of research areas including Internet measurement, privacy, and network security rely on lists of target domains to be analysed; researchers make use of target lists for reasons of necessity or efficiency. The popular Alexa list of one million domains is a widely used example. Despite their prevalence in research papers, the soundness of top lists has seldom been questioned by the community: little is known about the lists' creation, representativity, potential biases, stability, or overlap between lists.In this study we survey the extent, nature, and evolution of top lists used by research communities. We assess the structure and stability of these lists, and show that rank manipulation is possible for some lists. We also reproduce the results of several scientific studies to assess the impact of using a top list at all, which list specifically, and the date of list creation. We find that (i) top lists generally overestimate results compared to the general population by a significant margin, often even an order of magnitude, and (ii) some top lists have surprising change characteristics, causing high day-to-day fluctuation and leading to result instability. We conclude our paper with specific recommendations on the use of top lists, and how to interpret results based on top lists with caution.

show abstract

A First Look at Certification Authority Authorization (CAA)

Cited by 31 publications

References 23 publications

MERCAT: A Metric for the Evaluation and Reconsideration of Certificate Authority Trustworthiness

MERCAT: A Metric for the Evaluation and Reconsideration of Certificate Authority Trustworthiness

Domain Impersonation is Feasible: A Study of CA Domain Validation Vulnerabilities

A Long Way to the Top

Contact Info

Product

Resources

About