Measuring and Improving the Management of Today's PKI

Authentication is the property that allows a user to know that, when they go to a website, they are truly communicating with whom they expect, and not an impersonator. This critical property is made possible with a set of cryptographic and networking protocols collectively referred to as a public key infrastructure (PKI). While online use of the PKI is mostly automated, there is a surprising amount of human intervention in management tasks that are crucial to its proper operation. This project studies: Are administrators doing what users of the Web need them to do to ensure security, and how can we help facilitate or automate these tasks?

We are performing wide-scale measurements of how online certificates are actively being managed, including: how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play.

PI(s):Dave Levin
Researchers: Frank Cangialosi

HARD PROBLEM(S) ADDRESSED
Metrics; Human Behavior

PUBLICATIONS
"On SSL Certificate Revocation: The Race to the Bottom in Securing the Web's PKI" Yabing Liu, Will Tome, Liang Zhang, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Aaron Schulman, Christo Wilson. Submitted to ACM IMC (Internet Measurement Conference) 2015.

ACCOMPLISHMENT HIGHLIGHTS