Measuring and Improving Management of Today's PKI - UMD - October 2015
Authentication is the property that allows a user to know that, when they go to a website, they are truly communicating with whom they expect, and not an impersonator. This critical property is made possible with a set of cryptographic and networking protocols collectively referred to as a public key infrastructure (PKI). While online use of the PKI is mostly automated, there is a surprising amount of human intervention in management tasks that are crucial to its proper operation. This project studies: Are administrators doing what users of the Web need them to do to ensure security, and how can we help facilitate or automate these tasks?
We are performing wide-scale measurements of how online certificates are actively being managed, including: how quickly and thoroughly administrators revoke their certificates after a potential key compromise, and what role third-party hosting services play.
PI(s): Dave Levin
Researchers: Frank Cangialosi (UMD, undergraduate)
HARD PROBLEM(S) ADDRESSED
Metrics; Human behavior
PUBLICATIONS
"An End-to-End Measurement of Certificate Revocation in the Web's PKI" Yabing Liu, Will Tome, Liang Zhang, David Choffnes, Dave Levin, Bruce Maggs, Alan Mislove, Aaron Schulman, Christo Wilson. ACM IMC (Internet Measurement Conference) 2015.
Critical to the security of any public key infrastructure (PKI) is the ability to revoke previously issued certificates. While the overall SSL ecosystem is well-studied, the frequency with which certificates are revoked and the circumstances under which clients (e.g., browsers) check whether certificates are revoked are still not well-understood.
In this paper, we take a close look at certificate revocations in the Web’s PKI. Using 74 full IPv4 HTTPS scans, we find that a surprisingly large fraction (8%) of the certificates served have been revoked, and that obtaining certificate revocation information can often be expensive in terms of latency and bandwidth for clients. We then study the revocation checking behavior of 30 different combinations of web browsers and operating systems; we find that browsers often do not bother to check whether certificates are revoked (including mobile browsers, which uniformly never check). We also examine the CRLSet infrastructure built into Google Chrome for disseminating revocations; we find that CRLSet only covers 0.35% of all revocations. Overall, our results paint a bleak picture of the ability to effectively revoke certificates today.
ACCOMPLISHMENT HIGHLIGHTS
This quarter, Levin presented results from these studies of the PKI's administration to broad audiences, including at the RTCM (Radio Technical Commission for Maritime Services) conference, and the NMEA (National Maritime Electronics Association) conference, both held in Baltimore, MD, and at the CyberSci Summit held by ICF International, in Fairfax, VA. The audiences consisted of a wide range of practitioners, many with very little background in computer science and security, yet who are influential in developing communication policies at both institutional and international levels.