Certificates-as-an-Insurance: Incentivizing Accountability in SSL/TLS

Matsumoto, Stephanos; Reischuk, Raphael M.

doi:10.14722/sent.2015.23009

Cited by 12 publications

(6 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Matsumoto and Reischuk [33] suggested to incentivize CAs for careful identity validation by making them financially accountable. In case of a security incident, an insurance payout should be triggered automatically to the domain owner.…”

Section: Related Workmentioning

confidence: 99%

Domain Impersonation is Feasible: A Study of CA Domain Validation Vulnerabilities

Schwittmann

Wander

Weis

2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Web security relies on the assumption that certificate authorities (CAs) issue certificates to rightful domain owners only. However, we show that CAs expose vulnerabilities which allow an attacker to obtain certificates from major CAs for domains he does not own. We present a measurement method that allows us to check CAs for a list of technical weaknesses during their domain validation procedures. Our results show that all tested CAs are vulnerable in one or even multiple ways, because they rely on a combination of insecure protocols like DNS and HTTP and do not implement existing secure alternatives like DNSSEC and TLS. We have validated our methodology experimentally and disclosed these vulnerabilities to CAs. Based upon our findings we provide recommendations to domain owners and CAs to close this fundamental weakness in web security.

show abstract

Section: Related Workmentioning

confidence: 99%

Domain Impersonation is Feasible: A Study of CA Domain Validation Vulnerabilities

Schwittmann

Wander

Weis

2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

show abstract

“…Entretanto, pesquisas demonstram que muitas vezes o ecossistema do HTTPŚ e, diferentemente do imaginado (ou do senso comum), inseguro [Bokslag 2016, Frost et al 2019, Samarasinghe and Mannan 2019. Os desafios e problemas de segurança são muitos e podem ocorrer em diferentes partes do ecossistema, incluindo falhas na especificação ou implementação dos protocolos, falhas na configuração dos certificados digitais nos servidores Web, falhas na geração dos certificados digitais, vulnerabilidades na Infraestrutura de Chaves Públicas (ICP), entre outras vulnerabilidades [Bokslag 2016, Frost et al 2019, Samarasinghe and Mannan 2019, Matsumoto and Reischuk 2015, Merzdovnik et al 2016.…”

Section: Navegação Segura (?) Na Internet Com Httpsunclassified

Uma Primeira Analise do Ecosistema HTTPS no Brasil

Escarrone

Kreutz

Fiorenza

2019

Anais Da XVII Escola Regional De Redes De Computadores (ERRC 2019)

View full text Add to dashboard Cite

O HTTPS (SSL/TLS) é essencial para garantir a segurança (e.g. confidencialidade dos dados) das comunicações que utilizam o protocolo HTTP na Internet. Entretanto, apesar da crescente adoção do HTTPS, muitos sites ainda não implementam da maneira correta os certificados digitais. Neste trabalho é presentado um primeiro levantamento sobre o estado do ecossistema SSL/TLS no Brasil. Para a análise, foram selecionados 44 sites de instituições financeiras e governamentais, incluindo o governo federal e governos estaduais. Os resultados apontam que a maioria dos sites utilizam ou suportam versões antigas do SSL ou do TLS, que contém vulnerabilidades conhecidas e passíveis de exploração por agentes maliciosos.

show abstract

“…More recently, Matsumoto and Reischuk [19] made a case for tying certificates with insurances as a means to improve the accountability of CAs. The model they propose differs from ours in crucial aspects.…”

Section: Related Modelsmentioning

confidence: 99%

New Directions for Trust in the Certificate Authority Ecosystem

Malchow,

Güldenring,

Roth

2018

Preprint

View full text Add to dashboard Cite

Many of the benefits we derive from the Internet require trust in the authenticity of HTTPS connections. Unfortunately, the public key certification ecosystem that underwrites this trust has failed us on numerous occasions. Towards an exploration of the root causes we present an update to the common knowledge about the Certificate Authority (CA) ecosystem. Based on our findings the certificate ecosystem currently undergoes a drastic transformation. Big steps towards ubiquitous encryption were made, however, on the expense of trust for authentication of communication partners. Furthermore we describe systemic problems rooted in misaligned incentives between players in the ecosystem. We depict that proposed security extensions do not correctly realign these incentives. As such we argue that it is worth considering alternative methods of authentication. As a first step in this direction we propose an insurance-based mechanism and we demonstrate that it is technically feasible.

show abstract

Certificates-as-an-Insurance: Incentivizing Accountability in SSL/TLS

Cited by 12 publications

References 14 publications

Domain Impersonation is Feasible: A Study of CA Domain Validation Vulnerabilities

Domain Impersonation is Feasible: A Study of CA Domain Validation Vulnerabilities

Uma Primeira Analise do Ecosistema HTTPS no Brasil

New Directions for Trust in the Certificate Authority Ecosystem

Contact Info

Product

Resources

About