Visible to the public Measuring and Improving Management of Today's PKI - UMD - July 2015Conflict Detection Enabled

Submitted by jkatz on Mon, 07/13/2015 - 12:34pm

Public Audience

PI(s): David Levin
Researchers: Frank Cangialosi

PROJECT OVERVIEW

Authentication is the property that allows a user to know that, when they go to a website, they are truly communicating with whom they expect, and not an impersonator. This critical property is made possible with a set of cryptographic and networking protocols collectively referred to as a public key infrastructure (PKI). While online use of the PKI is mostly automated, there is a surprising amount of human intervention in management tasks that are crucial to its proper operation. This project studies: Are administrators doing what users of the Web need them to do to ensure security, and how can we help facilitate or automate these tasks?

We are performing wide-scale measurements of how online certificates are actively being managed, including: how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play.

As an example, in one work we investigated certificate revocations on the Internet. Using over 74 full IPv4 HTTPS scans, we find that a surprisingly large fraction (8%) of certificates are revoked, and that obtaining certificate revocation information can often be expensive in terms of latency and bandwidth for clients.  We then study the revocation-checking behavior of 30 different combinations of web browsers and operating systems; we find that browsers often do not bother to check whether certificates are revoked (including mobile browsers, which uniformly never check). We also examine the CRLSet infrastructure built into Google Chrome for disseminating revocations; we find that CRLSet only covers 0.35% of all revocations. Overall, our results paint a bleak picture of the effective revocation of certificates today.

HARD PROBLEM(S) ADDRESSED

Metrics; Human Behavior.

PUBLICATIONS

Papers submitted for publication

  • "On SSL Certificate Revocation: The Race to the Bottom in Securing the Web's PKI" Yabing Liu, Will Tome, Liang Zhang, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Aaron Schulman, Christo Wilson. Submitted to ACM IMC (Internet Measurement Conference) 2015.
Groups: