The Community for Technology Leaders
2018 IEEE Symposium on Security and Privacy (SP) (2018)
San Fransisco, CA, US
May 21, 2018 to May 23, 2018
ISSN: 2375-1207
ISBN: 978-1-5386-4353-2
pp: 240-253
Deepak Kumar , University of Illinois, Urbana-Champaign
Zhengping Wang , University of Illinois, Urbana-Champaign
Matthew Hyder , University of Illinois, Urbana-Champaign
Joseph Dickinson , University of Illinois, Urbana-Champaign
Gabrielle Beck , University of Michigan
David Adrian , University of Michigan
Joshua Mason , University of Illinois, Urbana-Champaign
Zakir Durumeric , University of Michigan
J. Alex Halderman , University of Michigan
Michael Bailey , University of Illinois, Urbana-Champaign
Certificate Authorities (CAs) regularly make mechanical errors when issuing certificates. To quantify these errors, we introduce ZLint, a certificate linter that codifies the policies set forth by the CA/Browser Forum Baseline Requirements and RFC 5280 that can be tested in isolation. We run ZLint on browser-trusted certificates in Censys and systematically analyze how well CAs construct certificates. We find that the number errors has drastically reduced since 2012. In 2017, only 0.02% of certificates have errors. However, this is largely due to a handful of large authorities that consistently issue correct certificates. There remains a long tail of small authorities that regularly issue non-conformant certificates. We further find that issuing certificates with errors is correlated with other types of mismanagement and for large authorities, browser action. Drawing on our analysis, we conclude with a discussion on how the community can best use lint data to identify authorities with worrisome organizational practices and ensure long-term health of the Web PKI.
TLS, HTTPS, PKI, Certificates, Compliance, Baseline-Requirements, RFC-5280
Deepak Kumar, Zhengping Wang, Matthew Hyder, Joseph Dickinson, Gabrielle Beck, David Adrian, Joshua Mason, Zakir Durumeric, J. Alex Halderman, Michael Bailey, "Tracking Certificate Misissuance in the Wild", 2018 IEEE Symposium on Security and Privacy (SP), vol. 00, no. , pp. 240-253, 2018, doi:10.1109/SP.2018.00015
(Ver 3.3 (11022016))