Skip to main content
SpringerLink
Log in

PoliCT: Flexible Policy in Certificate Transparency Enabling Lightweight Self-monitor

  • Conference paper
  • First Online:
Applied Cryptography and Network Security Workshops (ACNS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12809))

Included in the following conference series:

Abstract

Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates by recording all certificates in publicly-visible logs. CT assumes that any individual can undertake the role of a CT monitor which fetches all the certificates in the logs and discovers suspicious ones from them. However, studies in recent years shows that ordinary individuals have to pay an unbearable price to operate a monitor by themselves, which makes the originally distributed trust be concentrated on several third-party monitors. Unfortunately, some researches indicate that problems of timeliness, security, and reliability exist in third-party monitors. In this paper, we propose the PoliCT, a flexible and customizable certificate transparency management solution where domain owners can designate how their certificates should be submitted and validated. It enables domain owners (a) to release their CT policies to monitor a few logs purposefully, thereby greatly reducing monitoring costs; (b) to demand more SCTs to increase the transparency of their certificates. After that, we discuss the design of a reliable lightweight self-monitor in detail. Expectably, the actual data collection and the theoretical analysis of the prototype system show that PoliCT enables a common individual to maintain its CT policies with negligible overhead, and significantly improves the performance of monitoring service.

This work was supported in part by the National Natural Science Foundation of China under Grant 62002011, in part by the National Key Research and Development Program of China under Grant 2018YFB0804600, and in part by the Open Project of State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, under Grant 2020-ZD-05.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aas, J., et al.: Let’s encrypt: an automated certificate authority to encrypt the entire web. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2473–2487 (2019)

    Google Scholar 

  2. Adkins, H.: An update on attempted man-in-the-middle attacks. Website (2011). https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html

  3. Amann, J., Gasser, O., Scheitle, Q., Brent, L., Carle, G., Holz, R.: Mission accomplished? Https security after diginotar. In: Proceedings of the 2017 Internet Measurement Conference, pp. 325–340 (2017)

    Google Scholar 

  4. Apple Inc.: Apple’s certificate transparency policy. Website (2021). https://support.apple.com/en-us/HT205280

  5. Chu, D., Lin, J., Li, F., Zhang, X., Wang, Q., Liu, G.: Ticket transparency: accountable single sign-on with privacy-preserving public logs. In: Chen, S., Choo, K.-K.R., Fu, X., Lou, W., Mohaisen, A. (eds.) SecureComm 2019. LNICST, vol. 304, pp. 511–531. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-37228-6_25

    Chapter  Google Scholar 

  6. Chuat, L., Szalachowski, P., Perrig, A., Laurie, B., Messeri, E.: Efficient gossip protocols for verifying the consistency of certificate logs. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 415–423. IEEE (2015)

    Google Scholar 

  7. Cloudflare Inc.: Explore the certificate transparency ecosystem. Website (2021). https://ct.cloudflare.com/

  8. Comodo CA Limited: crt.sh: Certificate search. Website (2021). https://crt.sh

  9. Comodo Group Inc.: Comodo report of incident. Website (2011). https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

  10. Cooper, D., et al.: Internet x. 509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280, 1–151 (2008)

    Google Scholar 

  11. crt.sh Inc.: Certificate Transparency log monitor of crt.sh. Website (2021). https://github.com/crtsh

  12. CT Observatory: Website. https://www.ct-observatory.org/

  13. Cui, M., Cao, Z., Xiong, G.: How is the forged certificates in the wild: practice on large-scale SSL usage measurement and analysis. In: Shi, Y., et al. (eds.) ICCS 2018. LNCS, vol. 10862, pp. 654–667. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93713-7_62

    Chapter  Google Scholar 

  14. Dahlberg, R., Pulls, T.: Verifiable light-weight monitoring for certificate transparency logs. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 171–183. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_11

    Chapter  Google Scholar 

  15. Eastlake, D., et al.: Transport layer security (TLS) extensions: extension definitions. Technical Report, RFC 6066, January 2011

    Google Scholar 

  16. Eckersley, P.: A Syrian man-in-the-middle attack against Facebook. Website (2011). https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook

  17. Entrust Inc.: Certificate transparency search tool. Website (2021). https://www.entrust.com/ct-search/

  18. Facebook Inc.: Facebook: certificate transparency monitoring. Website (2021). https://developers.facebook.com/tools/ct/search/

  19. Fasllija, E., Enişer, H.F., Prünster, B.: Phish-hook: detecting phishing certificates using certificate transparency logs. In: Chen, S., Choo, K.-K.R., Fu, X., Lou, W., Mohaisen, A. (eds.) SecureComm 2019. LNICST, vol. 305, pp. 320–334. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-37231-6_18

    Chapter  Google Scholar 

  20. Ferretti, L., Longo, F., Colajanni, M., Merlino, G., Tapas, N.: Authorization transparency for accountable access to IoT services. In: 2019 IEEE International Congress on Internet of Things (ICIOT), pp. 91–99. IEEE (2019)

    Google Scholar 

  21. Gasser, O., Hof, B., Helm, M., Korczynski, M., Holz, R., Carle, G.: In log we trust: revealing poor security practices with certificate transparency logs and internet measurements. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 173–185. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_13

    Chapter  Google Scholar 

  22. GlobalSign: Security incident report. Website (2011). https://www.globalsign.com/resources/globalsign-security-incident-report.pdf

  23. Google Inc.: Certificate transparency in Chrome. Website (2018). https://chromium.googlesource.com/chromium/src/+/master/net/docs/certificate-transparency.md

  24. Google Inc.: Certificate transparency in Chrome policy. Website (2018). https://github.com/chromium/ct-policy/blob/master/ct_policy.md

  25. Google Inc.: certificate-transparency-go. Website (2021). https://github.com/google/certificate-transparency-go

  26. Google Inc.: Google: HTTPS encryption on the web. Website (2021). https://transparencyreport.google.com/https/certificates

  27. Google Inc.: The list of all known and announced CT logs. Website (2021)

    Google Scholar 

  28. Google Inc.: Working together to detect maliciously or mistakenly issued certificates. Website (2021)

    Google Scholar 

  29. Gustafsson, J., Overier, G., Arlitt, M., Carlsson, N.: A first look at the CT landscape: certificate transparency logs in practice. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 87–99. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_7

    Chapter  Google Scholar 

  30. Hallam-Baker, P., Stradling, R., Laurie, B.: DNS certification authority authorization (CAA) resource record. Internet Eng. Task Force 6844 (2013)

    Google Scholar 

  31. Hardenize Limited: Hardenize: meet the new standard for web site network and security configuration monitoring. Website (2021). https://www.hardenize.com/

  32. Hof, B., Carle, G.: Software distribution transparency and auditability. arXiv ePrint arXiv:1711.07278 (2017)

  33. Hoffman, P., Schlyter, J.: The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. Technical Report, RFC 6698, August 2012

    Google Scholar 

  34. Inc, V.D.S.I.: DigiNotar reports security incident (2011). https://www.vasco.com/about-vasco/press/2011/news_diginotar_reports_security_incident.html

  35. Korzhitskii, N., Carlsson, N.: Characterizing the root landscape of certificate transparency logs. In: 2020 IFIP Networking Conference (Networking), pp. 190–198. IEEE (2020)

    Google Scholar 

  36. Kumar, D., et al.: Tracking certificate misissuance in the wild. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 785–798. IEEE (2018)

    Google Scholar 

  37. Laurie, B., Langley, A., et al.: RFC6962: Certificate Transparency (2013)

    Google Scholar 

  38. Li, B., Chu, D., Lin, J., Cai, Q., Wang, C., Meng, L.: The weakest link of certificate transparency: exploring the TLS/HTTPS configurations of third-party monitors. In: 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 216–223. IEEE (2019)

    Google Scholar 

  39. Li, B., Li, F., Ma, Z., Wu, Q.: Exploring the security of certificate transparency in the wild. In: Zhou, J., et al. (eds.) ACNS 2020. LNCS, vol. 12418, pp. 453–470. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61638-0_25

    Chapter  Google Scholar 

  40. Li, B., et al.: Certificate transparency in the wild: exploring the reliability of monitors. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2505–2520 (2019)

    Google Scholar 

  41. Li, B., Lin, J., Wang, Q., Wang, Z., Jing, J.: Locally-centralized certificate validation and its application in desktop virtualization systems. IEEE Trans. Inf. Forensics Secur. 16, 1380–1395 (2020)

    Article  Google Scholar 

  42. Li, B., Wang, W., Meng, L., Lin, J., Liu, X., Wang, C.: Elaphurus: ensemble defense against fraudulent certificates in TLS. In: Liu, Z., Yung, M. (eds.) Inscrypt 2019. LNCS, vol. 12020, pp. 246–259. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42921-8_14

    Chapter  Google Scholar 

  43. Morton, B.: More google fraudulent certificates. Website (2014). https://www.entrust.com/google-fraudulent-certificates/

  44. Mozilla: Certificate transparency checker. Website (2019). https://addons.mozilla.org/en-US/firefox/addon/certificate-transparency/

  45. Mozilla Inc.: Public suffix list. Website (2021). https://publicsuffix.org/list/public_suffix_list.datl

  46. Nohe, P.: Maximum SSL/TLS certificate validity is now one year. Website (2020). https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year

  47. Nordberg, L., Gillmor, D.K., et al.: IETF Internet-Draft - Gossiping in CT. Website (2018). https://datatracker.ietf.org/doc/html/draft-ietf-trans-gossip-05

  48. Nykvist, C., Sjöström, L., Gustafsson, J., Carlsson, N.: Server-side adoption of certificate transparency. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 186–199. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_14

    Chapter  Google Scholar 

  49. Opsmate Inc.: SSLMate: cert spotter. Website (2021). https://sslmate.com/certspotter/

  50. Report URI Inc.: Report URI. Website (2021). https://report-uri.com/account/

  51. Roberts, R., Levin, D.: When certificate transparency is too transparent: analyzing information leakage in https domain names. In: Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society, pp. 87–92 (2019)

    Google Scholar 

  52. Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X. 509 internet public key infrastructure online certificate status protocol-OCSP. RFC 6960, pp. 1–41 (2013)

    Google Scholar 

  53. Scheitle, Q., et al.: The rise of certificate transparency and its implications on the internet ecosystem. In: Proceedings of the Internet Measurement Conference, vol. 2018, pp. 343–349 (2018)

    Google Scholar 

  54. SSLMate Inc.: How cert spotter parses 255 million certificates. Website (2017). https://sslmate.com/blog/post/how_certspotter_parses_255_million_certificates

  55. SSLMate Inc.: Certificate transparency log monitor of SSLMate. Website (2020). https://github.com/SSLMate/certspotter

  56. SSLMate Inc.: Cert spotter stats. Website (2021). https://sslmate.com/certspotter/stats

  57. Stark, E.: IETF draft - Expect-CT extension for HTTP. Website (2018). https://tools.ietf.org/id/draft-ietf-httpbis-expect-ct-03.html

  58. Stark, E., Sleevi, R., et al.: Does certificate transparency break the web? Measuring adoption and error rate. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 211–226. IEEE (2019)

    Google Scholar 

  59. Szalachowski, P., Chuat, L., Perrig, A.: PKI safety net (PKISN): addressing the too-big-to-be-revoked problem of the TLS ecosystem. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 407–422. IEEE (2016)

    Google Scholar 

  60. Szalachowski, P., Matsumoto, S., Perrig, A.: PoliCert: secure and flexible TLS certificate management. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 406–417 (2014)

    Google Scholar 

  61. University of Michigan: Censys. Website (2021). https://censys.io/

  62. VanderSloot, B., Amann, J., Bernhard, M., Durumeric, Z., Bailey, M., Halderman, J.A.: Towards a complete view of the certificate ecosystem. In: Proceedings of the 2016 Internet Measurement Conference, pp. 543–549 (2016)

    Google Scholar 

  63. Vincent Lynch: Mscaling CT logs: temporal sharding. Website (2018). https://www.digicert.com/dc/blog/scaling-certificate-transparency-logs-temporal-sharding/

  64. Wang, Z., Lin, J., Cai, Q., Wang, Q., Zha, D., Jing, J.: Blockchain-based certificate transparency and revocation transparency. IEEE Trans. Dependable Secure Comput. (2020)

    Google Scholar 

  65. Wilson, K.: Distrusting new CNNIC certificates. Website (2015). https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/

Download references

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China

    Aozhuo Sun, Huiqing Wan & Qiongxiao Wang

  2. Data Assurance and Communications Security Center, Chinese Academy of Sciences, Beijing, 100093, China

    Aozhuo Sun, Huiqing Wan & Qiongxiao Wang

  3. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, 100049, China

    Aozhuo Sun, Huiqing Wan & Qiongxiao Wang

  4. School of Cyber Science and Technology, Beihang University, Beijing, 100191, China

    Bingyu Li

Authors
  1. Aozhuo Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bingyu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Huiqing Wan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qiongxiao Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qiongxiao Wang .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  2. University of Strathclyde, Glasgow, UK

    Chuadhry Mujeeb Ahmed

  3. ICIS, Radboud University, Nijmegen, The Netherlands

    Lejla Batina

  4. Singapore University of Technology and Design, Singapore, Singapore

    Sudipta Chattopadhyay

  5. LIACS, Leiden University, Leiden, The Netherlands

    Olga Gadyatskaya

  6. Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

    Chenglu Jin

  7. University of Science and Technology of China, Hefei, China

    Jingqiang Lin

  8. University of Padua, Padua, Italy

    Eleonora Losiouk

  9. University of Kansas, Lawrence, KS, USA

    Bo Luo

  10. CIISE, Concordia University, Montréal, Canada

    Suryadipta Majumdar

  11. New York University, Abu Dhabi, United Arab Emirates

    Mihalis Maniatakos

  12. Illinois at Singapore Pte Ltd, Singapore, Singapore

    Daisuke Mashima

  13. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  14. Delft University of Technology, Delft, The Netherlands

    Stjepan Picek

  15. SECOM Co., Ltd., Tokyo, Japan

    Masaki Shimaoka

  16. University of Aizu, Aizu-Wakamatsu, Japan

    Chunhua Su

  17. City University of Hong Kong, Hong Kong, Hong Kong

    Cong Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sun, A., Li, B., Wan, H., Wang, Q. (2021). PoliCT: Flexible Policy in Certificate Transparency Enabling Lightweight Self-monitor. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2021. Lecture Notes in Computer Science(), vol 12809. Springer, Cham. https://doi.org/10.1007/978-3-030-81645-2_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-81645-2_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-81644-5

  • Online ISBN: 978-3-030-81645-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation