Abstract
In recent years, multiple security incidents involving Certificate Authority (CA) misconduct demonstrated the need for strengthened certificate issuance processes. Certificate Transparency (CT) logs make the issuance publicly traceable and auditable.
In this paper, we leverage the information in CT logs to analyze if certificates adhere to the industry’s Baseline Requirements. We find 907 k certificates in violation of Baseline Requirements, which we pinpoint to issuing CAs. Using data from active measurements we compare certificate deployment to logged certificates, identify non-HTTPS certificates in logs, evaluate CT-specific HTTP headers, and augment IP address hitlists using data from CT logs. Moreover, we conduct passive and active measurements to carry out a first analysis of CT’s gossiping and pollination approaches, finding low deployment. We encourage the reproducibility of network measurement research by publishing data from active scans, measurement programs, and analysis tools.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Acer, M.E. et al.: Where the wild warnings are: root causes of Chrome HTTPS certificate errors. In: CCS 2017
ACM: Artifact Review and Badging (2016). https://www.acm.org/publications/policies/artifact-review-badging
Aertsen, M. et al.: No domain left behind: is Let’s Encrypt democratizing encryption? In: ANRW 2017
Amann, J. et al.: Mission accomplished? HTTPS security after DigiNotar. In: IMC 2017
CA/Browser Forum: Baseline requirements for the issuance and management of publicly-trusted certificates. Version 1.5.0., 1 September 2017
Chen, Y. et al.: DNS noise: measuring the pervasiveness of disposable domains in modern DNS traffic. In: DSN 2014
Chromium authors: CT over DNS implementation in Chromium. https://cs.chromium.org/chromium/src/components/certificate_transparency/log_dns_client.cc?type=cs&sq=package:chromium
Chung, T. et al.: Measuring and applying invalid SSL certificates: the silent majority. In: IMC 2016
Clark, J., van Oorschot, P.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE S&P 2013
Dittrich, D. et al.: The Menlo report: ethical principles guiding information and communication technology research. US DHS (2012)
Durumeric, Z. et al.: Analysis of the HTTPS certificate ecosystem. In: IMC 2013
Durumeric, Z. et al.: ZMap: fast Internet-wide scanning and its security applications. In: USENIX Security 2013
Ellison, C., Schneier, B.: Ten risks of PKI: what you’re not being told about Public Key Infrastructure. Comput. Secur. J. 16(1), 1–7 (2000)
Farsight Security: DNSDB. https://www.dnsdb.info/
Felt, A.P. et al.: Measuring HTTPS adoption on the web. In: USENIX Security 2017
Fox-IT: Black Tulip. Report of the investigation into the DigiNotar Certificate Authority breach, 8 (2012)
Gasser, O. et al.: IPv6 Hitlist collection. https://www.net.in.tum.de/projects/gino/ipv6-hitlist.html
Gasser, O. et al.: Scanning the IPv6 Internet: towards a comprehensive Hitlist. In: TMA 2016
Gustafsson, J. et al.: A first look at the CT landscape: Certificate Transparency logs in practice. In: PAM 2017
Holz, R. et al.: The SSL landscape–a thorough analysis of the X.509 PKI using active and passive measurements. In: IMC 2011
Holz, R. et al.: TLS in the wild - an Internet-wide analysis of TLS-based protocols for electronic communication. In: NDSS 2016
Laurie, B. et al.: Certificate Transparency RFCs on GitHub (2017). https://github.com/google/certificate-transparency-rfcs
Liu, Y. et al.: An end-to-end measurement of certificate revocation in the web PKI. In: IMC 2015
Markham, G.: Mailing list: Mozilla dev.sec.policy: PROCERT decision
Messeri, E.: Mailing list: IETF trans: privacy analysis of the DNS-based protocol for obtaining inclusion proof
Mozilla: Mailing List: Mozilla dev.sec.policy: Mozilla’s Plan for Symantec Roots
Mozilla: Revoking Trust in Two TurkTrust Certificates. https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/
Mozilla OneCRL, October 2017
Nordberg, L. et al.: Gossiping in CT. Internet-Draft draft-ietf-trans-gossip-04
Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 15(10), 58–64 (2016)
Ristić, I.: SSL/TLS and PKI History. https://www.feistyduck.com/ssl-tls-and-pki-history/
Ritter, T.: An experimental “RequireCT” directive for HSTS, February 2015. https://ritter.vg/blog-require_certificate_transparency.html
Scheitle, Q. et al.: Towards an ecosystem for reproducible research in computer networking. In: SIGCOMM Reproducibility 2017
Sleevi, R.: Certificate Transparency in Chrome - change to enforcement date Google groups, 21 April 2017. https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/sz_3W_xKBNY/6jq2ghJXBAAJ
Sleevi, R., Messeri, E.: Certificate Transparency in Chrome: monitoring CT logs consistency, 1 May 2015. https://docs.google.com/document/d/1FP5J5Sfsg0OR9P4YT0q1dM02iavhi8ix1mZlZe_z-ls
Stark, E.: Expect-CT extension for HTTP. https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02
Symantec: Update on test certificate incident (2016). https://www.symantec.com/page.jsp?id=test-certs-update
TUM: cablint on GitHub. https://github.com/tumi8/certlint
TUM: CT go tool on GitHub. https://github.com/google/certificate-transparency-go
TUM: goscanner on GitHub. https://github.com/tumi8/goscanner
TUM: ZMapv6 on GitHub. https://github.com/tumi8/zmap
VanderSloot, B. et al.: Towards a complete view of the certificate ecosystem. In: IMC 2016
Acknowledgments
We thank Emily Stark from Google for the valuable insights into Chrome’s current state of CT over DNS. The authors thank the contributors of data to Farsight Security’s DNSDB. We thank the anonymous reviewers and our shepherd Steve Uhlig for their valuable feedback. This work was partially funded by the German Federal Ministry of Education and Research under project X-Check, grant 16KIS0530, and project DecADe, grant 16KIS0538.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Gasser, O., Hof, B., Helm, M., Korczynski, M., Holz, R., Carle, G. (2018). In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds) Passive and Active Measurement. PAM 2018. Lecture Notes in Computer Science(), vol 10771. Springer, Cham. https://doi.org/10.1007/978-3-319-76481-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-76481-8_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76480-1
Online ISBN: 978-3-319-76481-8
eBook Packages: Computer ScienceComputer Science (R0)