Abstract
Certificate Transparency (CT) is proposed to detect maliciously or mistakenly issued certificates by recording all certificates in publicly-visible logs. CT assumes that any individual can undertake the role of a CT monitor which fetches all the certificates in the logs and discovers suspicious ones from them. However, studies in recent years shows that ordinary individuals have to pay an unbearable price to operate a monitor by themselves, which makes the originally distributed trust be concentrated on several third-party monitors. Unfortunately, some researches indicate that problems of timeliness, security, and reliability exist in third-party monitors. In this paper, we propose the PoliCT, a flexible and customizable certificate transparency management solution where domain owners can designate how their certificates should be submitted and validated. It enables domain owners (a) to release their CT policies to monitor a few logs purposefully, thereby greatly reducing monitoring costs; (b) to demand more SCTs to increase the transparency of their certificates. After that, we discuss the design of a reliable lightweight self-monitor in detail. Expectably, the actual data collection and the theoretical analysis of the prototype system show that PoliCT enables a common individual to maintain its CT policies with negligible overhead, and significantly improves the performance of monitoring service.
This work was supported in part by the National Natural Science Foundation of China under Grant 62002011, in part by the National Key Research and Development Program of China under Grant 2018YFB0804600, and in part by the Open Project of State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, under Grant 2020-ZD-05.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aas, J., et al.: Let’s encrypt: an automated certificate authority to encrypt the entire web. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2473–2487 (2019)
Adkins, H.: An update on attempted man-in-the-middle attacks. Website (2011). https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html
Amann, J., Gasser, O., Scheitle, Q., Brent, L., Carle, G., Holz, R.: Mission accomplished? Https security after diginotar. In: Proceedings of the 2017 Internet Measurement Conference, pp. 325–340 (2017)
Apple Inc.: Apple’s certificate transparency policy. Website (2021). https://support.apple.com/en-us/HT205280
Chu, D., Lin, J., Li, F., Zhang, X., Wang, Q., Liu, G.: Ticket transparency: accountable single sign-on with privacy-preserving public logs. In: Chen, S., Choo, K.-K.R., Fu, X., Lou, W., Mohaisen, A. (eds.) SecureComm 2019. LNICST, vol. 304, pp. 511–531. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-37228-6_25
Chuat, L., Szalachowski, P., Perrig, A., Laurie, B., Messeri, E.: Efficient gossip protocols for verifying the consistency of certificate logs. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 415–423. IEEE (2015)
Cloudflare Inc.: Explore the certificate transparency ecosystem. Website (2021). https://ct.cloudflare.com/
Comodo CA Limited: crt.sh: Certificate search. Website (2021). https://crt.sh
Comodo Group Inc.: Comodo report of incident. Website (2011). https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Cooper, D., et al.: Internet x. 509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280, 1–151 (2008)
crt.sh Inc.: Certificate Transparency log monitor of crt.sh. Website (2021). https://github.com/crtsh
CT Observatory: Website. https://www.ct-observatory.org/
Cui, M., Cao, Z., Xiong, G.: How is the forged certificates in the wild: practice on large-scale SSL usage measurement and analysis. In: Shi, Y., et al. (eds.) ICCS 2018. LNCS, vol. 10862, pp. 654–667. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93713-7_62
Dahlberg, R., Pulls, T.: Verifiable light-weight monitoring for certificate transparency logs. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 171–183. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_11
Eastlake, D., et al.: Transport layer security (TLS) extensions: extension definitions. Technical Report, RFC 6066, January 2011
Eckersley, P.: A Syrian man-in-the-middle attack against Facebook. Website (2011). https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook
Entrust Inc.: Certificate transparency search tool. Website (2021). https://www.entrust.com/ct-search/
Facebook Inc.: Facebook: certificate transparency monitoring. Website (2021). https://developers.facebook.com/tools/ct/search/
Fasllija, E., Enişer, H.F., Prünster, B.: Phish-hook: detecting phishing certificates using certificate transparency logs. In: Chen, S., Choo, K.-K.R., Fu, X., Lou, W., Mohaisen, A. (eds.) SecureComm 2019. LNICST, vol. 305, pp. 320–334. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-37231-6_18
Ferretti, L., Longo, F., Colajanni, M., Merlino, G., Tapas, N.: Authorization transparency for accountable access to IoT services. In: 2019 IEEE International Congress on Internet of Things (ICIOT), pp. 91–99. IEEE (2019)
Gasser, O., Hof, B., Helm, M., Korczynski, M., Holz, R., Carle, G.: In log we trust: revealing poor security practices with certificate transparency logs and internet measurements. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 173–185. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_13
GlobalSign: Security incident report. Website (2011). https://www.globalsign.com/resources/globalsign-security-incident-report.pdf
Google Inc.: Certificate transparency in Chrome. Website (2018). https://chromium.googlesource.com/chromium/src/+/master/net/docs/certificate-transparency.md
Google Inc.: Certificate transparency in Chrome policy. Website (2018). https://github.com/chromium/ct-policy/blob/master/ct_policy.md
Google Inc.: certificate-transparency-go. Website (2021). https://github.com/google/certificate-transparency-go
Google Inc.: Google: HTTPS encryption on the web. Website (2021). https://transparencyreport.google.com/https/certificates
Google Inc.: The list of all known and announced CT logs. Website (2021)
Google Inc.: Working together to detect maliciously or mistakenly issued certificates. Website (2021)
Gustafsson, J., Overier, G., Arlitt, M., Carlsson, N.: A first look at the CT landscape: certificate transparency logs in practice. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 87–99. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_7
Hallam-Baker, P., Stradling, R., Laurie, B.: DNS certification authority authorization (CAA) resource record. Internet Eng. Task Force 6844 (2013)
Hardenize Limited: Hardenize: meet the new standard for web site network and security configuration monitoring. Website (2021). https://www.hardenize.com/
Hof, B., Carle, G.: Software distribution transparency and auditability. arXiv ePrint arXiv:1711.07278 (2017)
Hoffman, P., Schlyter, J.: The DNS-based authentication of named entities (DANE) transport layer security (TLS) protocol: TLSA. Technical Report, RFC 6698, August 2012
Inc, V.D.S.I.: DigiNotar reports security incident (2011). https://www.vasco.com/about-vasco/press/2011/news_diginotar_reports_security_incident.html
Korzhitskii, N., Carlsson, N.: Characterizing the root landscape of certificate transparency logs. In: 2020 IFIP Networking Conference (Networking), pp. 190–198. IEEE (2020)
Kumar, D., et al.: Tracking certificate misissuance in the wild. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 785–798. IEEE (2018)
Laurie, B., Langley, A., et al.: RFC6962: Certificate Transparency (2013)
Li, B., Chu, D., Lin, J., Cai, Q., Wang, C., Meng, L.: The weakest link of certificate transparency: exploring the TLS/HTTPS configurations of third-party monitors. In: 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 216–223. IEEE (2019)
Li, B., Li, F., Ma, Z., Wu, Q.: Exploring the security of certificate transparency in the wild. In: Zhou, J., et al. (eds.) ACNS 2020. LNCS, vol. 12418, pp. 453–470. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61638-0_25
Li, B., et al.: Certificate transparency in the wild: exploring the reliability of monitors. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2505–2520 (2019)
Li, B., Lin, J., Wang, Q., Wang, Z., Jing, J.: Locally-centralized certificate validation and its application in desktop virtualization systems. IEEE Trans. Inf. Forensics Secur. 16, 1380–1395 (2020)
Li, B., Wang, W., Meng, L., Lin, J., Liu, X., Wang, C.: Elaphurus: ensemble defense against fraudulent certificates in TLS. In: Liu, Z., Yung, M. (eds.) Inscrypt 2019. LNCS, vol. 12020, pp. 246–259. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42921-8_14
Morton, B.: More google fraudulent certificates. Website (2014). https://www.entrust.com/google-fraudulent-certificates/
Mozilla: Certificate transparency checker. Website (2019). https://addons.mozilla.org/en-US/firefox/addon/certificate-transparency/
Mozilla Inc.: Public suffix list. Website (2021). https://publicsuffix.org/list/public_suffix_list.datl
Nohe, P.: Maximum SSL/TLS certificate validity is now one year. Website (2020). https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year
Nordberg, L., Gillmor, D.K., et al.: IETF Internet-Draft - Gossiping in CT. Website (2018). https://datatracker.ietf.org/doc/html/draft-ietf-trans-gossip-05
Nykvist, C., Sjöström, L., Gustafsson, J., Carlsson, N.: Server-side adoption of certificate transparency. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 186–199. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_14
Opsmate Inc.: SSLMate: cert spotter. Website (2021). https://sslmate.com/certspotter/
Report URI Inc.: Report URI. Website (2021). https://report-uri.com/account/
Roberts, R., Levin, D.: When certificate transparency is too transparent: analyzing information leakage in https domain names. In: Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society, pp. 87–92 (2019)
Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X. 509 internet public key infrastructure online certificate status protocol-OCSP. RFC 6960, pp. 1–41 (2013)
Scheitle, Q., et al.: The rise of certificate transparency and its implications on the internet ecosystem. In: Proceedings of the Internet Measurement Conference, vol. 2018, pp. 343–349 (2018)
SSLMate Inc.: How cert spotter parses 255 million certificates. Website (2017). https://sslmate.com/blog/post/how_certspotter_parses_255_million_certificates
SSLMate Inc.: Certificate transparency log monitor of SSLMate. Website (2020). https://github.com/SSLMate/certspotter
SSLMate Inc.: Cert spotter stats. Website (2021). https://sslmate.com/certspotter/stats
Stark, E.: IETF draft - Expect-CT extension for HTTP. Website (2018). https://tools.ietf.org/id/draft-ietf-httpbis-expect-ct-03.html
Stark, E., Sleevi, R., et al.: Does certificate transparency break the web? Measuring adoption and error rate. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 211–226. IEEE (2019)
Szalachowski, P., Chuat, L., Perrig, A.: PKI safety net (PKISN): addressing the too-big-to-be-revoked problem of the TLS ecosystem. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 407–422. IEEE (2016)
Szalachowski, P., Matsumoto, S., Perrig, A.: PoliCert: secure and flexible TLS certificate management. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 406–417 (2014)
University of Michigan: Censys. Website (2021). https://censys.io/
VanderSloot, B., Amann, J., Bernhard, M., Durumeric, Z., Bailey, M., Halderman, J.A.: Towards a complete view of the certificate ecosystem. In: Proceedings of the 2016 Internet Measurement Conference, pp. 543–549 (2016)
Vincent Lynch: Mscaling CT logs: temporal sharding. Website (2018). https://www.digicert.com/dc/blog/scaling-certificate-transparency-logs-temporal-sharding/
Wang, Z., Lin, J., Cai, Q., Wang, Q., Zha, D., Jing, J.: Blockchain-based certificate transparency and revocation transparency. IEEE Trans. Dependable Secure Comput. (2020)
Wilson, K.: Distrusting new CNNIC certificates. Website (2015). https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Sun, A., Li, B., Wan, H., Wang, Q. (2021). PoliCT: Flexible Policy in Certificate Transparency Enabling Lightweight Self-monitor. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2021. Lecture Notes in Computer Science(), vol 12809. Springer, Cham. https://doi.org/10.1007/978-3-030-81645-2_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-81645-2_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81644-5
Online ISBN: 978-3-030-81645-2
eBook Packages: Computer ScienceComputer Science (R0)