Skip to main content
SpringerLink
Log in

Server-Side Adoption of Certificate Transparency

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2018)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10771))

Included in the following conference series:

Abstract

Certificate Transparency (CT) was developed to mitigate shortcomings in the TLS/SSL landscape and to assess the trustworthiness of Certificate Authorities (CAs) and the certificates they create. With CT, certificates should be logged in public, audible, append-only CT logs and servers should provide clients (browsers) evidence, in the form of Signed Certificate Timestamps (SCTs), that the certificates that they present have been logged in credible CT logs. These SCTs can be delivered using three different methods: (i) X.509v3 extension, (ii) TLS extension, and (iii) OSCP stapling. In this paper, we develop a client-side measurement tool that implements all three methods and use the tool to analyze the SCT adoption among the one-million most popular web domains. Using two snapshots (from May and Oct. 2017), we answer a wide range of questions related to the delivery choices made by different domains, identify differences in the certificates used by these domains, the CT logs they use, and characterize the overheads and potential performance impact of the SCT delivery methods. By highlighting some of the tradeoffs between the methods and differences in the websites selecting them, we provide insights into the current SCT adoption status and differences in how domains have gone upon adopting this new technology.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.thesslstore.com/blog/firefox-certificate-transparency/.

  2. 2.

    Bouncy Castle, https://www.bouncycastle.org.

  3. 3.

    Code+datasets available: http://www.ida.liu.se/~nikca89/papers/pam18.html.

  4. 4.

    Chrome bug report: https://crbug.com/389514.

  5. 5.

    https://www.certificate-transparency.org/known-logs.

  6. 6.

    CT FAQ: https://www.certificate-transparency.org/faq.

References

  1. Akhawe, D., Amann, B., Vallentin, M., Sommer, R.: Here’s my cert, so trust me, maybe? understanding TLS errors on the web. In: Proceedings of the WWW (2013)

    Google Scholar 

  2. Amann, J., Gasser, O., Scheitle, Q., Brent, L., Carle, G., Holz, R.: Mission accomplished? HTTPS security after diginotar. In: Proceedings of the IMC (2017)

    Google Scholar 

  3. Arlitt, M., Carlsson, N., Williamson, C., Rolia, J.: Passive crowd-based monitoring of world wide Web infrastructure and its performance. In: Proceedings of the ICC (2012)

    Google Scholar 

  4. Asghari, H., van Eeten, M.J.G., Arnbak, A.M., van Eijk, N.A.N.M.: Security economics in the HTTPS value chain. In: Proceedings of the WEIS (2013)

    Google Scholar 

  5. Beurdouche, B., et al.: A messy state of the union: taming the composite state machines of TLS. In: Proceedings of the IEEE S&P (2015)

    Google Scholar 

  6. Basin, D., Cremers, C., Kim, T.H.-J., Perrig, A., Sasse, R., Szalachowski, P.: Arpki: attack resilient public-key infrastructure. In: Proceedings of the ACM CCS (2014)

    Google Scholar 

  7. Chuat, L., Szalachowski, P., Perrig, A., Laurie, B., Messeri, E.: Efficient gossip protocols for verifying the consistency of certificate logs. In: Proceedings of the IEEE CNS (2015)

    Google Scholar 

  8. Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: Proceedings of the IEEE S&P (2013)

    Google Scholar 

  9. Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the ACM CCS (2015)

    Google Scholar 

  10. Fadai, T., Schrittwieser, S., Kieseberg, P., Mulazzani, M.: Trust me, I’m a root CA! analyzing SSL root CAs in modern browsers and operating systems. In: Proceedings of the ARES (2015)

    Google Scholar 

  11. Gill, P., Arlitt, M., Carlsson, N., Mahanti, A., Williamson, C.: Characterizing organizational use of Web-based services: methodology, challenges, observations, and insights. ACM Trans. Web 5, 1–9 (2011)

    Article  Google Scholar 

  12. Gustafsson, J., Overier, G., Arlitt, M., Carlsson, N.: A first look at the ct landscape: certificate transparency logs in practice. In: Proceedings of the PAM (2017)

    Google Scholar 

  13. Hallam-Baker, P., Stradling, R.: RFC6844: DNS Certification Authority Authorization (CAA) Resource Record. IETF (2013)

    Google Scholar 

  14. Hoffman, P., Schlyter, J.: RFC6698: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. IETF (2012)

    Google Scholar 

  15. Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: Proceedings of the IMC (2011)

    Google Scholar 

  16. Huang, L., Rice, A., Ellingsen, E., Jackson, C.: Analyzing forged SSL certificates in the wild. In: Proceedings of the IEEE S&P (2014)

    Google Scholar 

  17. Kim, T.H.-J., et al.: Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure. In: Proceedings of the WWW (2013)

    Google Scholar 

  18. Laurie, B., Langley, A., Käsper, E.: RFC6962: Certificate Transparency. IETF (2013)

    Google Scholar 

  19. Laurie, B., Langley, A., Käsper, E., Messeri, E., Stradling, R.: RFC6962-bis: Certificate Transparency draft-ietf-trans-rfc6962-bis-10. IETF (2015)

    Google Scholar 

  20. Ouvrier, G., Laterman, M., Arlitt, M., Carlsson, N.: Characterizing the HTTPS trust landscape: a passive view from the edge. IEEE Com. Mag. July 2017

    Google Scholar 

  21. Ryan, M.D.: Enhanced certificate transparency and end-to-end encrypted mail. In: Proceedings of the NDSS (2014)

    Google Scholar 

  22. VanderSloot, B., Amann, J., Bernhard, M., Durumeric, Z., Bailey, M., Halderman, J.: Towards a complete view of the certificate ecosystem. In: Proceedings of the IMC (2016)

    Google Scholar 

  23. Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving SSH-style host authentication with multi-path probing. In: Proceedings of the USENIX ATC (2008)

    Google Scholar 

Download references

Acknowledgements

The authors are thankful to our shepherd Niky Riga and the anonymous reviewers for their feedback. This work was funded in part by the Swedish Research Council (VR).

Author information

Authors and Affiliations

  1. Linköping University, Linköping, Sweden

    Carl Nykvist, Linus Sjöström, Josef Gustafsson & Niklas Carlsson

Authors
  1. Carl Nykvist
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Linus Sjöström
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Josef Gustafsson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Niklas Carlsson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Niklas Carlsson .

Editor information

Editors and Affiliations

  1. Naval Postgraduate School, Monterey, California, USA

    Robert Beverly

  2. Technical University of Berlin, Berlin, Germany

    Georgios Smaragdakis

  3. Max Planck Institute for Informatics, Saarbrücken, Germany

    Anja Feldmann

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Nykvist, C., Sjöström, L., Gustafsson, J., Carlsson, N. (2018). Server-Side Adoption of Certificate Transparency. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds) Passive and Active Measurement. PAM 2018. Lecture Notes in Computer Science(), vol 10771. Springer, Cham. https://doi.org/10.1007/978-3-319-76481-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-76481-8_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-76480-1

  • Online ISBN: 978-3-319-76481-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation