Analysis of the HTTPS certificate ecosystem

Durumeric, Zakir; Kasten, James; Bailey, Michael; Halderman, J. Alex

doi:10.1145/2504730.2504755

Cited by 252 publications

(199 citation statements)

References 13 publications

Supporting

Mentioning

188

Contrasting

Unclassified

Order By: Relevance

“…The recommended SHA256 (with RSA encryption) signing algorithm, has replaced SHA1 more so far for leaf certificates (72.3% SHA256) than authority certificates (42.8% SHA256). Although we observed improvements compared to the 98.7% share of SHA1 that Durumeric et al [7] observed in 2013, there is still a long way to go. While decisions by Mozilla, Microsoft, and Google, for example, to phaseout SHA1 (e.g., not showing a padlock symbol or to various degrees blocking SHA1 usage) may speed up this process, there have been setbacks in the outphasing as some of the browser companies have softened their decisions, including Mozilla re-enabling support for SHA1 in Firefox.…”

Section: Trust Relationship Analysiscontrasting

confidence: 82%

“…We also use passive measurements by Holz et al [6] (published in 2011) and by Durumeric et al [7] (published in 2013), together with our own measurements, as reference points for a longitudinal discussion. In addition to complementing these studies with more recent data points and a tutorial-style overview of the landscape, we also present complementary new analyses based on our novel session-based labeling, for example, which allows us to compare and contrast the heterogeneous security offered to both mobile and stationary devices.…”

Section: E Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Characterizing the HTTPS Trust Landscape: A Passive View from the Edge

Ouvrier

Laterman²,

Arlitt

et al. 2017

IEEE Commun. Mag.

View full text Add to dashboard Cite

Our society increasingly relies on web-based services like online banking, shopping, and socializing. Many of these services heavily depend on secure end-to-end transactions to transfer personal, financial, and other sensitive information. At the core of ensuring secure transactions are the HTTPS protocol and the "trust" relationships between many involved parties, including users, browsers, servers, domain owners, and the third-party Certification Authorities (CAs) that issue certificates binding ownership of public keys with servers and domains. This article presents an overview of the current trust landscape and provides statistics to illustrate and quantify some of the risks facing typical users. Using measurement results obtained through passive monitoring of the HTTPS traffic between a campus network and the Internet, we provide concrete examples and characterize the certificate usage and trust relationships in this complex landscape. By comparing our observations against known vulnerabilities and problems, we highlight and discuss the actual security that typical Internet users (such as the people on campus) experience. Our measurements cover both mobile and stationary users, consider the involved trust relationships, and provide insights into how the HTTPS protocol is used and the weaknesses observed in practice. While the security properties vary significantly between sessions, out of the 232 million HTTPS sessions we observed, more than 25% had weak security properties.

show abstract

Section: Trust Relationship Analysiscontrasting

confidence: 82%

Section: E Related Workmentioning

confidence: 99%

Characterizing the HTTPS Trust Landscape: A Passive View from the Edge

Ouvrier

Laterman²,

Arlitt

et al. 2017

IEEE Commun. Mag.

View full text Add to dashboard Cite

show abstract

“…They revealed a great number of invalid certificates and certificates shared among a large number of hosts. The work of Holz et al was followed by the work of Durumeric et al [11] which focused on an assessment of certification authorities. The SSL/TLS protocol and its applications are continuously analysed by Qualys SSL Lab [12].…”

Section: State-of-the-artmentioning

confidence: 99%

Network-Based HTTPS Client Identification Using SSL/TLS Fingerprinting

Husák

Čermák

Jirsík

et al. 2015

2015 10th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Abstract-The growing share of encrypted network traffic complicates network traffic analysis and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the UserAgent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up a dictionary of SSL/TLS cipher suite lists and HTTP UserAgents and assigned the User-Agents to the observed SSL/TLS connections to identify communicating clients. We discuss hostbased and network-based methods of dictionary retrieval and estimate the quality of the data. The usability of the proposed method is demonstrated on two case studies of network forensics.

show abstract

“…The subject of certificate validation for HTTPS has been investigated by various other studies [42], [25], [22]. In our Common Name (Issuer Common Name) …”

Section: Tls Certificatesmentioning

confidence: 99%

“…We used techniques and tooling provided by the authors of [36] for computation of vulnerable moduli. A similar analysis was performed on datasets for HTTPS in [22].…”

Section: ) Self-signed Certificatesmentioning

confidence: 99%

No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large

Mayer

Zauner

Schmiedecker

et al. 2016

2016 11th International Conference on Availability, Reliability and Security (ARES)

View full text Add to dashboard Cite

Abstract-TLS is the most widely used cryptographic protocol on the Internet. While many recent studies focused on its use in HTTPS, none so far analyzed TLS usage in e-mail related protocols, which often carry highly sensitive information. Since end-to-end encryption mechanisms like PGP are seldomly used, today confidentiality in the e-mail ecosystem is mainly based on the encryption of the transport layer. A well-positioned attacker may be able to intercept plaintext passively and at global scale.In this paper we are the first to present a scalable methodology to assess the state of security mechanisms in the e-mail ecosystem using commodity hardware and open-source software. We draw a comprehensive picture of the current state of every e-mail related TLS configuration for the entire IPv4 range. We collected and scanned a massive data-set of 20 million IP/port combinations of all related protocols (SMTP, POP3, IMAP) and legacy ports. Over a time span of approx. three months we conducted more than 10 billion TLS handshakes. Additionally, we show that securing server-to-server communication using e.g. SMTP is inherently more difficult than securing client-toserver communication. Lastly, we analyze the volatility of TLS certificates and trust anchors in the e-mail ecosystem and argue that while the overall trend points in the right direction, there are still many steps needed towards secure e-mail.

show abstract

Analysis of the HTTPS certificate ecosystem

Cited by 252 publications

References 13 publications

Characterizing the HTTPS Trust Landscape: A Passive View from the Edge

Characterizing the HTTPS Trust Landscape: A Passive View from the Edge

Network-Based HTTPS Client Identification Using SSL/TLS Fingerprinting

No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large

Contact Info

Product

Resources

About