The Community for Technology Leaders
2018 IEEE Symposium on Security and Privacy (SP) (2018)
San Francisco, CA, US
May 21, 2018 to May 23, 2018
ISSN: 2375-1207
ISBN: 978-1-5386-4353-2
pp: 288-301
Deepak Kumar , University of Illinois, Urbana-Champaign
Zhengping Wang , University of Illinois, Urbana-Champaign
Matthew Hyder , University of Illinois, Urbana-Champaign
Joseph Dickinson , University of Illinois, Urbana-Champaign
Gabrielle Beck , University of Michigan
David Adrian , University of Michigan
Joshua Mason , University of Illinois, Urbana-Champaign
Zakir Durumeric , University of Michigan
J. Alex Halderman , University of Michigan
Michael Bailey , University of Illinois, Urbana-Champaign
ABSTRACT
Certificate Authorities (CAs) regularly make mechanical errors when issuing certificates. To quantify these errors, we introduce ZLint, a certificate linter that codifies the policies set forth by the CA/Browser Forum Baseline Requirements and RFC 5280 that can be tested in isolation. We run ZLint on browser-trusted certificates in Censys and systematically analyze how well CAs construct certificates. We find that the number errors has drastically reduced since 2012. In 2017, only 0.02% of certificates have errors. However, this is largely due to a handful of large authorities that consistently issue correct certificates. There remains a long tail of small authorities that regularly issue non-conformant certificates. We further find that issuing certificates with errors is correlated with other types of mismanagement and for large authorities, browser action. Drawing on our analysis, we conclude with a discussion on how the community can best use lint data to identify authorities with worrisome organizational practices and ensure long-term health of the Web PKI.
INDEX TERMS
TLS, HTTPS, PKI, Certificates, Compliance, Baseline-Requirements, RFC-5280
CITATION

D. Kumar et al., "Tracking Certificate Misissuance in the Wild," 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, US, , pp. 288-301.
doi:10.1109/SP.2018.00015
476 ms
(Ver 3.3 (11022016))