Characterizing the Root Landscape of Certificate Transparency Logs

01/13/2020
by   Nikita Korzhitskii, et al.
0

Internet security and privacy stand on the trustworthiness of public certificates signed by Certificate Authorities (CAs). However, software products do not trust the same CAs and therefore maintain different root stores, each typically containing hundreds of trusted roots capable of issuing "trusted" certificates for any domain. Incidents with misissued certificates motivated Google to implement and enforce Certificate Transparency (CT). CT logs archive certificates in a public, auditable and append-only manner. The adoption of CT changed the trust landscape, with logs too maintaining their own root lists and only logging certificates that chain back to one of their roots. In this paper, we present a first characterization of this emerging CT root store landscape, as well as the tool that we developed for data collection, visualization, and analysis of the root stores. As part of our characterization, we compare the logs' root stores and quantify their changes with respect to both each other and the root stores of major software vendors, look at evolving vendor CT policies, and show that root store mismanagement may be linked to log misbehavior. Finally, we present and discuss the results of a survey that we have sent to the log operators participating in Apple's and Google's CT log programs.

READ FULL TEXT
research
10/21/2021

Certificate Root Stores: An Area of Unity or Disparity?

Organizations like Apple, Microsoft, Mozilla and Google maintain certifi...
research
06/11/2018

CertLedger: A New PKI Model with Certificate Transparency Based on Blockchain

In conventional PKI, CAs are assumed to be fully trusted. However, in pr...
research
09/18/2020

The Boon and Bane of Cross-Signing: Shedding Light on a Common Practice in Public Key Infrastructures

Public Key Infrastructures (PKIs) with their trusted Certificate Authori...
research
11/10/2017

Verifiable Light-Weight Monitoring for Certificate Transparency Logs

Trust in publicly verifiable Certificate Transparency (CT) logs is reduc...
research
06/22/2018

Aggregation-Based Gossip for Certificate Transparency

Certificate Transparency (CT) is a project that mandates public logging ...
research
06/23/2021

Finding Phish in a Haystack: A Pipeline for Phishing Classification on Certificate Transparency Logs

Current popular phishing prevention techniques mainly utilize reactive b...
research
11/20/2017

Software Distribution Transparency and Auditability

A large user base relies on software updates provided through package ma...

Please sign up or login with your details

Forgot password? Click here to reset