Server Authentication on the Past, Present, and Future Internet.
[摘要] HTTPS is used for nearly all secure web communication, yet very little is known about the security of HTTPS;; deployment overall on the Internet.In this work, we elucidate the efficacy of HTTPS;; security through Internet-wide scanning and present novel solutions for some of the most critical issues we discover.Our analysis includes the first longitudinal study of the HTTPS ecosystem, and a study of the HTTPS ecosystem during upheaval, including the community;;s subsequent response.This examination revealed not only the common practices, but also a number of alarming trends.In this thesis, we focus on two of these issues.The first is that the PKI underlying HTTPS has an extremely large attack surface, with 683 organizations able to sign certificates for any domain.The second is that the cost of HTTPS is exorbitant.As evidence, we found that only 12.9% of the Alexa Top 1 Million supported HTTPS and that 55% of servers with browser-trusted certificates are not optimally configured.Furthermore, we find the management of HTTPS is too burdensome. We discover 20% of certificates are removed from servers after they have already expired.In order to address the large attack surface of the PKI, we present CAge.CAge is a technique that can reduce the attack surface of certificate authorities by 90% using simple inference techniques.The key observation is that CAs commonly sign for only a handful of TLDs; in fact, 90% of CAs have signed certificates for domains in fewer than 10 TLDs, and only 35% have ever signed a certificate for a domain in .com.To decrease the cost of HTTPS, we present Let;;s Encrypt, the first fully automated and free certificate authority.The automation is enabled by a new protocol we developed, ACME, which handles all of a CA;;s operational duties.We implement client and server ACME software which reduces the time required to deploy HTTPS to 30 seconds.We additionally develop new validation techniques which improve the security of the PKI in general.
[发布日期] [发布机构] University of Michigan
[效力级别] X.509 certificates [学科分类]
[关键词] HTTPS;X.509 certificates;Computer Science;Engineering;Science;Computer Science and Engineering [时效性]