A Residential Client-side Perspective on SSL Certificates

Edward Oakes, Jeffery Kline, Aaron Cahn, Keith Funkhouser, P. Barford
{"title":"A Residential Client-side Perspective on SSL Certificates","authors":"Edward Oakes, Jeffery Kline, Aaron Cahn, Keith Funkhouser, P. Barford","doi":"10.23919/TMA.2019.8784633","DOIUrl":null,"url":null,"abstract":"SSL certificates are a core component of the public key infrastructure that underpins encrypted communication in the Internet. In this paper, we report the results of a longitudinal study of the characteristics of SSL certificate chains presented to clients during secure web (HTTPS) connection setup. Our data set consists of 23B SSL certificate chains collected from a global panel consisting of over 2M residential client machines over a period of 6 months. The data informing our analyses provide perspective on the entire chain of trust, including root certificates, across a wide distribution of client machines. We identify over 35M unique certificate chains with diverse relationships at all levels of the PKI hierarchy. We report on the characteristics of valid certificates, which make up 99.7% of the total corpus. We also examine invalid certificate chains, finding that 93% of them contain an untrusted root certificate and we find they have shorter average chain length than their valid counterparts. Finally, we examine two unintended but prevalent behaviors in our data: the deprecation of root certificates and secure traffic interception. Our results support aspects of prior, scan-based studies on certificate characteristics but contradict other findings, highlighting the importance of the residential client-side perspective.","PeriodicalId":241672,"journal":{"name":"2019 Network Traffic Measurement and Analysis Conference (TMA)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 Network Traffic Measurement and Analysis Conference (TMA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/TMA.2019.8784633","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 5

Abstract

SSL certificates are a core component of the public key infrastructure that underpins encrypted communication in the Internet. In this paper, we report the results of a longitudinal study of the characteristics of SSL certificate chains presented to clients during secure web (HTTPS) connection setup. Our data set consists of 23B SSL certificate chains collected from a global panel consisting of over 2M residential client machines over a period of 6 months. The data informing our analyses provide perspective on the entire chain of trust, including root certificates, across a wide distribution of client machines. We identify over 35M unique certificate chains with diverse relationships at all levels of the PKI hierarchy. We report on the characteristics of valid certificates, which make up 99.7% of the total corpus. We also examine invalid certificate chains, finding that 93% of them contain an untrusted root certificate and we find they have shorter average chain length than their valid counterparts. Finally, we examine two unintended but prevalent behaviors in our data: the deprecation of root certificates and secure traffic interception. Our results support aspects of prior, scan-based studies on certificate characteristics but contradict other findings, highlighting the importance of the residential client-side perspective.
SSL证书的驻留客户端视角
SSL证书是支持Internet中加密通信的公钥基础设施的核心组件。在本文中,我们报告了在安全web (HTTPS)连接建立期间呈现给客户端的SSL证书链特征的纵向研究结果。我们的数据集由23B个SSL证书链组成,这些证书链是在6个月的时间里从一个由200多万台住宅客户机组成的全球面板收集的。为我们的分析提供信息的数据提供了关于整个信任链(包括根证书)的视角,这些信任链跨越广泛的客户机机器分布。我们确定了超过35M个独特的证书链,它们在PKI层次结构的所有级别上具有不同的关系。我们报告了有效证书的特征,它占整个语料库的99.7%。我们还检查了无效的证书链,发现其中93%包含不受信任的根证书,并且发现它们的平均链长度比有效的证书链短。最后,我们检查了数据中两种意想不到但普遍存在的行为:弃用根证书和安全流量拦截。我们的结果支持先前基于扫描的证书特征研究的各个方面,但与其他研究结果相矛盾,突出了住宅客户端观点的重要性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信