Skip to main content
SpringerLink
Log in

In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2018)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10771))

Included in the following conference series:

Abstract

In recent years, multiple security incidents involving Certificate Authority (CA) misconduct demonstrated the need for strengthened certificate issuance processes. Certificate Transparency (CT) logs make the issuance publicly traceable and auditable.

In this paper, we leverage the information in CT logs to analyze if certificates adhere to the industry’s Baseline Requirements. We find 907  k certificates in violation of Baseline Requirements, which we pinpoint to issuing CAs. Using data from active measurements we compare certificate deployment to logged certificates, identify non-HTTPS certificates in logs, evaluate CT-specific HTTP headers, and augment IP address hitlists using data from CT logs. Moreover, we conduct passive and active measurements to carry out a first analysis of CT’s gossiping and pollination approaches, finding low deployment. We encourage the reproducibility of network measurement research by publishing data from active scans, measurement programs, and analysis tools.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Acer, M.E. et al.: Where the wild warnings are: root causes of Chrome HTTPS certificate errors. In: CCS 2017

    Google Scholar 

  2. ACM: Artifact Review and Badging (2016). https://www.acm.org/publications/policies/artifact-review-badging

  3. Aertsen, M. et al.: No domain left behind: is Let’s Encrypt democratizing encryption? In: ANRW 2017

    Google Scholar 

  4. Amann, J. et al.: Mission accomplished? HTTPS security after DigiNotar. In: IMC 2017

    Google Scholar 

  5. CA/Browser Forum: Baseline requirements for the issuance and management of publicly-trusted certificates. Version 1.5.0., 1 September 2017

    Google Scholar 

  6. Chen, Y. et al.: DNS noise: measuring the pervasiveness of disposable domains in modern DNS traffic. In: DSN 2014

    Google Scholar 

  7. Chromium authors: CT over DNS implementation in Chromium. https://cs.chromium.org/chromium/src/components/certificate_transparency/log_dns_client.cc?type=cs&sq=package:chromium

  8. Chung, T. et al.: Measuring and applying invalid SSL certificates: the silent majority. In: IMC 2016

    Google Scholar 

  9. Clark, J., van Oorschot, P.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE S&P 2013

    Google Scholar 

  10. Dittrich, D. et al.: The Menlo report: ethical principles guiding information and communication technology research. US DHS (2012)

    Google Scholar 

  11. Durumeric, Z. et al.: Analysis of the HTTPS certificate ecosystem. In: IMC 2013

    Google Scholar 

  12. Durumeric, Z. et al.: ZMap: fast Internet-wide scanning and its security applications. In: USENIX Security 2013

    Google Scholar 

  13. Ellison, C., Schneier, B.: Ten risks of PKI: what you’re not being told about Public Key Infrastructure. Comput. Secur. J. 16(1), 1–7 (2000)

    Google Scholar 

  14. Farsight Security: DNSDB. https://www.dnsdb.info/

  15. Felt, A.P. et al.: Measuring HTTPS adoption on the web. In: USENIX Security 2017

    Google Scholar 

  16. Fox-IT: Black Tulip. Report of the investigation into the DigiNotar Certificate Authority breach, 8 (2012)

    Google Scholar 

  17. Gasser, O. et al.: IPv6 Hitlist collection. https://www.net.in.tum.de/projects/gino/ipv6-hitlist.html

  18. Gasser, O. et al.: Scanning the IPv6 Internet: towards a comprehensive Hitlist. In: TMA 2016

    Google Scholar 

  19. Gustafsson, J. et al.: A first look at the CT landscape: Certificate Transparency logs in practice. In: PAM 2017

    Google Scholar 

  20. Holz, R. et al.: The SSL landscape–a thorough analysis of the X.509 PKI using active and passive measurements. In: IMC 2011

    Google Scholar 

  21. Holz, R. et al.: TLS in the wild - an Internet-wide analysis of TLS-based protocols for electronic communication. In: NDSS 2016

    Google Scholar 

  22. Laurie, B. et al.: Certificate Transparency RFCs on GitHub (2017). https://github.com/google/certificate-transparency-rfcs

  23. Liu, Y. et al.: An end-to-end measurement of certificate revocation in the web PKI. In: IMC 2015

    Google Scholar 

  24. Markham, G.: Mailing list: Mozilla dev.sec.policy: PROCERT decision

    Google Scholar 

  25. Messeri, E.: Mailing list: IETF trans: privacy analysis of the DNS-based protocol for obtaining inclusion proof

    Google Scholar 

  26. Mozilla: Mailing List: Mozilla dev.sec.policy: Mozilla’s Plan for Symantec Roots

    Google Scholar 

  27. Mozilla: Revoking Trust in Two TurkTrust Certificates. https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/

  28. Mozilla OneCRL, October 2017

    Google Scholar 

  29. Nordberg, L. et al.: Gossiping in CT. Internet-Draft draft-ietf-trans-gossip-04

    Google Scholar 

  30. Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 15(10), 58–64 (2016)

    Article  Google Scholar 

  31. Ristić, I.: SSL/TLS and PKI History. https://www.feistyduck.com/ssl-tls-and-pki-history/

  32. Ritter, T.: An experimental “RequireCT” directive for HSTS, February 2015. https://ritter.vg/blog-require_certificate_transparency.html

  33. Scheitle, Q. et al.: Towards an ecosystem for reproducible research in computer networking. In: SIGCOMM Reproducibility 2017

    Google Scholar 

  34. Sleevi, R.: Certificate Transparency in Chrome - change to enforcement date Google groups, 21 April 2017. https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/sz_3W_xKBNY/6jq2ghJXBAAJ

  35. Sleevi, R., Messeri, E.: Certificate Transparency in Chrome: monitoring CT logs consistency, 1 May 2015. https://docs.google.com/document/d/1FP5J5Sfsg0OR9P4YT0q1dM02iavhi8ix1mZlZe_z-ls

  36. Stark, E.: Expect-CT extension for HTTP. https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02

  37. Symantec: Update on test certificate incident (2016). https://www.symantec.com/page.jsp?id=test-certs-update

  38. TUM: cablint on GitHub. https://github.com/tumi8/certlint

  39. TUM: CT go tool on GitHub. https://github.com/google/certificate-transparency-go

  40. TUM: goscanner on GitHub. https://github.com/tumi8/goscanner

  41. TUM: ZMapv6 on GitHub. https://github.com/tumi8/zmap

  42. VanderSloot, B. et al.: Towards a complete view of the certificate ecosystem. In: IMC 2016

    Google Scholar 

Download references

Acknowledgments

We thank Emily Stark from Google for the valuable insights into Chrome’s current state of CT over DNS. The authors thank the contributors of data to Farsight Security’s DNSDB. We thank the anonymous reviewers and our shepherd Steve Uhlig for their valuable feedback. This work was partially funded by the German Federal Ministry of Education and Research under project X-Check, grant 16KIS0530, and project DecADe, grant 16KIS0538.

Author information

Authors and Affiliations

  1. Technical University of Munich, Munich, Germany

    Oliver Gasser, Benjamin Hof, Max Helm & Georg Carle

  2. Grenoble Alps University, Grenoble, France

    Maciej Korczynski

  3. Delft University of Technology, Delft, Netherlands

    Maciej Korczynski

  4. The University of Sydney, Sydney, Australia

    Ralph Holz

Authors
  1. Oliver Gasser
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benjamin Hof
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Max Helm
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Maciej Korczynski
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ralph Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Georg Carle
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Oliver Gasser .

Editor information

Editors and Affiliations

  1. Naval Postgraduate School, Monterey, California, USA

    Robert Beverly

  2. Technical University of Berlin, Berlin, Germany

    Georgios Smaragdakis

  3. Max Planck Institute for Informatics, Saarbrücken, Germany

    Anja Feldmann

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gasser, O., Hof, B., Helm, M., Korczynski, M., Holz, R., Carle, G. (2018). In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds) Passive and Active Measurement. PAM 2018. Lecture Notes in Computer Science(), vol 10771. Springer, Cham. https://doi.org/10.1007/978-3-319-76481-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-76481-8_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-76480-1

  • Online ISBN: 978-3-319-76481-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation