Web PKI: Closing the Gap between Guidelines and Practices

21st Annual Network and Distributed System Security Symposium, NDSS 2014

Volumn , Issue , 2014, Pages

  Delignat Lavaud, Antoine ^b   Abadi, Martín ^a   Birrell, Andrew ^a   Mironov, Ilya ^a   Wobber, Ted ^a   Xie, Yinglian ^a  

^a MICROSOFT RESEARCH   (United States)

^b INRIA ROCQUENCOURT   (France)

Author keywords

[No Author keywords available]

Indexed keywords

WEB CRAWLER;

CERTIFICATION AUTHORITIES; PUBLIC KEY INFRASTRUCTURE; SSL CERTIFICATES;

PUBLIC KEY CRYPTOGRAPHY;

EID: 85048055531     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss/2014.23305     Document Type: Conference Paper

References (37)

1. J. Ness, “Flame malware collision attack explained,” Tech. Rep., Jun. 2012. [Online]. Available: http://blogs.technet.com/b/srd/archive/2012/06/06/more-informationabout-the-digital-certificates-used-to-sign-the-flame-malware.aspx
2. M. Coates. (2013) Revoking trust in two TÜRKTRUST certificates. [Online]. Available: http://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/
3. D. Akhawe, B. Amann, M. Vallentin, and R. Sommer, “Here’s my cert, so trust me, maybe?: Understanding TLS errors on the Web,” in Proceedings of the 22Nd International Conference on World Wide Web.
4. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, “The most dangerous code in the world: Validating SSL certificates in non-browser software,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security.
5. Google, “Certificate transparency.” [Online]. Available: https://sites.google.com/site/certificatetransparency/
6. OWASP Foundation, “Certificate and public key pinning.” [Online]. Available: https://www.owasp.org/index.php/Certificate_and_ Public_Key_Pinning
7. Convergence 2011, “An agile, distributed, and secure strategy for replacing certificate authorities.” [Online]. Available: http://www.convergence.io/
8. D. Wendlandt, D. G. Andersen, and A. Perrig, “Perspectives: Improving SSH-style host authentication with multi-path probing.” in USENIX Annual Technical Conference, 2008, pp. 321–334.
9. P. Hoffman and J. Schlyter, “RFC 6698—the DNS-based authentication of named entities (DANE),” Tech. Rep., Aug. 2012. [Online]. Available: http://tools.ietf.org/html/rfc6698
10. R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, “RFC 4033—DNS security introduction and requirements,” Tech. Rep., Mar. 2005. [Online]. Available: http://tools.ietf.org/html/rfc4033
11. N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman, “Mining your Ps and Qs: detection of widespread weak keys in network devices,” in Proceedings of the 21st USENIX Security Symposium.
12. O. Levillain, A. Ébalard, B. Morin, and H. Debar, “One year of SSL Internet measurement,” in Proceedings of the 28th Annual Computer Security Applications Conference.
13. R. Holz, L. Braun, N. Kammenhuber, and G. Carle, “The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements,” in Proceedings of the 2011 ACM SIGCOMM Internet Measurement Conference.
14. N. Vratonjic, J. Freudiger, V. Bindschaedler, and J.-P. Hubaux, “The inconvenient truth about web certificates,” in The Workshop on Economics of Information Security (WEIS), 2011.
15. M. A. Mishari, E. D. Cristofaro, K. M. E. Defrawy, and G. Tsudik, “Harvesting SSL certificate data to identify Web-fraud,” I. J. Network Security, vol. 14, no. 6, pp. 324–338, 2012.
16. Z. Durumeric, J. Kasten, M. Bailey, and J. A. Halderman, “Analysis of the HTTPS certificate ecosystem,” in Proceedings of the 13th Internet Measurement Conference, Oct. 2013, pp. 291–304.
17. M. Abadi, A. Birrell, I. Mironov, T. Wobber, and Y. Xie, “Global authentication in an untrustworthy world,” in Proceedings of the 14th USENIX workshop on Hot Topics in Operating Systems.
18. Electronic Frontier Foundation, “The EFF SSL Observatory,” https://www.eff.org/observatory, 2010.
19. CA/Browser Forum. (2012, May) Guidelines for the issuance and management of extended validation certificates, v. [Online]. Available: https://www.cabforum.org/Guidelines_v1_4.pdf
20. Mozilla Foundation. (2012) Mozilla bug 724929: Remove Trustwave certificate(s) from trusted root certificates. [Online]. Available: https://bugzilla.mozilla.org/show_bug.cgi?id=724929
21. CA/Browser Forum. (2013, May) Baseline requirements for the issuance and management of policy-trusted certificates, v.1.1.5. [Online]. Available: https://www.cabforum.org/Baseline_Requirements_V1_1_5. pdf
22. D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk, “RFC 5280 - Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile,” Tech. Rep., May 2008. [Online]. Available: http://tools.ietf.org/html/rfc5280
23. Microsoft Corporation. (2013) Root certificate program. [Online]. Available: http://technet.microsoft.com/en-us/library/cc751157.aspx
24. Mozilla Foundation. (2013) CA certificate policy. [Online]. Available: http://www.mozilla.org/projects/security/certs/policy/
25. Canadian Institute of Chartered Accountants. (2013, Jan.) WebTrust for certification authorities. [Online]. Available: http://www.webtrust.org/homepage-documents/item72056.pdf
26. European Telecommunications Standards Institute. (2012, Nov.) Policy requirements for certification authorities issuing public key certificates, v2.3.1. [Online]. Available: http://www.etsi.org/deliver/etsi_ts/102000_ 102099/102042/02.03.01_60/ts_102042v020301p.pdf
27. Debian Security Team, “Cve-2008-0166: PredictableRandom Number Generator,” http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166, 2008.
28. E. B. Barker, D. Johnson, and M. E. Smid, “SP 800-56A. recommendation for pair-wise key establishment schemes using discrete logarithm cryptography (revised),” Gaithersburg, MD, United States, Tech. Rep., 2007.
29. Z. Durumeric, E. Wustrow, and J. A. Halderman, “ZMap: Fast Internet-wide scanning and its security applications,” in Proceedings of the 22nd USENIX Security Symposium, Aug. 2013, pp. 605–619.
30. Alexa Internet Inc. (2013) Top 1,000,000 sites (updated daily). [Online]. Available: http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
31. International Computer Science Institute. (2012) The ICSI certificate notary. [Online]. Available: http://notary.icsi.berkeley.edu/
32. R. Dhamija, J. D. Tygar, and M. Hearst, “Why phishing works,” in Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM, 2006, pp. 581–590.
33. U. Kühn, A. Pyshkin, E. Tews, and R.-P. Weinmann, “Variants of Bleichenbacher’s low-exponent attack on PKCS#1 RSA signatures,” in Sicherheit, A. Alkassar and J. H. Siekmann, Eds. GI, 2008, pp. 97–109.
34. OpenSSL. (2013) Documentation of the X.509 API. [Online]. Available: http://www.openssl.org/docs/apps/x509.html
35. N. Heninger. (2013) Factoring as a service. [Online]. Available: http://crypto.2013.rump.cr.yp.to/981774ce07e51813fd4466612a78601b.pdf
36. D. Eastlake, “RFC 6066 - Transport Layer Security (TLS) extensions: Extension definitions,” 2011. [Online]. Available: http://tools.ietf.org/html/rfc6066
37. M. Stevens, A. Sotirov, J. Appelbaum, A. K. Lenstra, D. Molnar, D. A. Osvik, and B. de Weger, “Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate,” in CRYPTO, S. Halevi, Ed. Springer, 2009, pp. 55–69.