Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate

2019 IEEE Symposium on Security and Privacy (SP) Pub Date : 2019-05-01 DOI:10.1109/SP.2019.00027

Emily Stark, Ryan Sleevi, Rijad Muminovic, Devon O'Brien, Eran Messeri, A. Felt, Brendan McMillion, Parisa Tabriz

{"title":"Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate","authors":"Emily Stark, Ryan Sleevi, Rijad Muminovic, Devon O'Brien, Eran Messeri, A. Felt, Brendan McMillion, Parisa Tabriz","doi":"10.1109/SP.2019.00027","DOIUrl":null,"url":null,"abstract":"Certificate Transparency (CT) is an emerging system for enabling the rapid discovery of malicious or misissued certificates. Initially standardized in 2013, CT is now finally beginning to see widespread support. Although CT provides desirable security benefits, web browsers cannot begin requiring all websites to support CT at once, due to the risk of breaking large numbers of websites. We discuss challenges for deployment, analyze the adoption of CT on the web, and measure the error rates experienced by users of the Google Chrome web browser. We find that CT has so far been widely adopted with minimal breakage and warnings. Security researchers often struggle with the tradeoff between security and user frustration: rolling out new security requirements often causes breakage. We view CT as a case study for deploying ecosystem-wide change while trying to minimize end user impact. We discuss the design properties of CT that made its success possible, as well as draw lessons from its risks and pitfalls that could be avoided in future large-scale security deployments.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"33","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00027","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 33

Abstract

Certificate Transparency (CT) is an emerging system for enabling the rapid discovery of malicious or misissued certificates. Initially standardized in 2013, CT is now finally beginning to see widespread support. Although CT provides desirable security benefits, web browsers cannot begin requiring all websites to support CT at once, due to the risk of breaking large numbers of websites. We discuss challenges for deployment, analyze the adoption of CT on the web, and measure the error rates experienced by users of the Google Chrome web browser. We find that CT has so far been widely adopted with minimal breakage and warnings. Security researchers often struggle with the tradeoff between security and user frustration: rolling out new security requirements often causes breakage. We view CT as a case study for deploying ecosystem-wide change while trying to minimize end user impact. We discuss the design properties of CT that made its success possible, as well as draw lessons from its risks and pitfalls that could be avoided in future large-scale security deployments.

查看原文本刊更多论文

证书透明会破坏网络吗?测量采用率和错误率

证书透明(CT)是一种新兴的系统，用于快速发现恶意或错误颁发的证书。CT最初于2013年标准化，现在终于开始得到广泛支持。尽管CT提供了令人满意的安全优势，但web浏览器不能开始要求所有网站同时支持CT，因为存在破坏大量网站的风险。我们讨论了部署的挑战，分析了CT在网络上的采用，并测量了谷歌Chrome浏览器用户所经历的错误率。我们发现CT到目前为止被广泛采用，破损和警告最小。安全研究人员经常在安全性和用户挫败感之间进行权衡:推出新的安全需求通常会导致中断。我们将CT视为一个案例研究，用于部署整个生态系统的变化，同时尽量减少对最终用户的影响。我们讨论了CT的设计特性，使其成功成为可能，并从其风险和陷阱中吸取教训，这些风险和陷阱可以在未来的大规模安全部署中避免。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量