Skip to main content

Advertisement

Springer Nature Link
Log in

A compliance-based ranking of certificate authorities using probabilistic approaches

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The security of the global Certification Authority (CA) system has recently been compromised as a result of attacks on the Public Key Infrastructure (PKI). Although the CA/Browser (CA/B) Forum publishes compliance requirements for CAs, there are no guarantees that even a commercially successful CA is complying with these recommendations. In this paper, we propose the first systematic CA ranking mechanism that ranks CAs in terms of their adherence to the CA/B Forum and X.509 certificate standards. Unfortunately, there is no consolidated and widely accepted parameter to rank the CAs so we have proposed formula-based rating models and introduced different ranking techniques like Direct, Bayesian, and MarkovChain Ranking. These rankings are applied to a comprehensive dataset of X.509 trust chains gathered during the time period of 2020 to 2023. Our proposed ranking scheme can serve as a criterion for both consumers and enterprises for selecting and prioritizing CAs based on performance as well as adherence to the certificate standards.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Algorithm 1
Fig. 13

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

Data availibility

We are committed to transparency and open science. The Rapid7 certificate data that supports the findings of this study is available with us and can be accessed by approaching us. Any additional data required to reproduce the results or test the methods reported in this article is available upon request. The authors encourage readers to contact phdcs21004@itu.edu.pk for further information regarding data availability and access.

Notes

  1. https://cabforum.org/.

  2. https://w3techs.com/.

  3. https://www.rapid7.com/research/project-sonar/.

  4. https://docs.microsoft.com/en-us/dotnet/api/.

  5. https://github.com/zmap/zlint.

  6. https://www.mongodb.com/.

  7. https://www.json.org/json-en.html.

  8. https://tinyurl.com/y2qyuku3.

  9. https://tinyurl.com/y4wgvq8r.

References

  1. Alabduljabbar, A., Ma, R., Choi, S., Jang, R., Chen, S. and Mohaisen, D.: Understanding the security of free content websites by analyzing their ssl certificates: a comparative study. In Proceedings of the 1st Workshop on Cybersecurity and Social Sciences, CySSS ’22, page 19-25, New York, NY, USA, 2022. Association for Computing Machinery

  2. Apoorva, B.: Top 10 SSL certificate providers of 2023 to secure your site. Startup Talky, 2023. Accessed 25 Mar 2024

  3. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS security introduction and requirements. RFC 4033 (2005)

  4. Brubaker, C., Jana, S., Ray, B., Khurshid, S., Shmatikov, V.: Using Frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations. IEEE Secur. Privacy 114–129, 2014 (2014)

    Google Scholar 

  5. CA|Browser (CAB) Forum. Baseline guidelines for the issuance and management of extended validation certificates. Accessed 20 Mar 2024 (2021)

  6. CA|Browser (CAB) Forum. Baseline requirements for the issuance and management of publicly-trusted certificates. Accessed 20 Mar 2024. (2020)

  7. Chau, S.Y., Chowdhury, O., Hoque, E., Ge, H., Kate, A., Nita-Rotaru, C. and Li, N.: Symcerts: practical symbolic execution for exposing noncompliance in x.509 certificate validation implementations. In: 2017 IEEE symposium on security and privacy (SP). pP 503–520 (2017)

  8. Clark, J., Van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: 2013 IEEE symposium on security and privacy. pp 511–525 (2013)

  9. Dai, T., Shulman, H., Waidner, M.: Off-path attacks against PKI. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, CCS ’18, pp 2213–2215, New York, NY, USA. Association for Computing Machinery (2018)

  10. Delignat-Lavaud, A., Abadi, M., Birrell, A., Mironov, I., Wobber, T., Xie, Y.: Web PKI: Closing the Gap between Guidelines and Practices. In Network and distributed system security symposium, NDSS Symposium (2014)

  11. Dong, Z., Kane, K. and Camp, L.J.: Detection of rogue certificates from trusted certificate authorities using deep neural networks. In: ACM transactions on privacy and security (TOPS), 19, September (2016)

  12. Durumeric, Z., Kasten, J., Bailey, M. and Halderman, J.A.: Analysis of the HTTPS certificate ecosystem. In: Proceedings of the 2013 conference on internet measurement conference, IMC ’13, pages 291–304, New York, NY, USA (2013)

  13. Fisher, D.: DigiNotar says its CA infrastructure was compromised. Threatpost. Accessed 18 Mar 2024 (2011)

  14. Friess, J., Schulmann, H., Waidner, M.: Revocation speedrun: how the webpki copes with fraudulent certificates. Proc. ACM Netw., 1(CoNEXT3) (2023)

  15. Gramstars. The 10 Best TLS/SSL Certificates in 2022. Medium. Accessed 25 March 2024 (2023)

  16. Hallam-Baker, P.; Comodo SSL affiliate the recent RA compromise. Comodo Cyber Security. Accessed 19 Mar 2024 (2011)

  17. Hoffman, P. and Schlyter, J.: The DNS-based authentication of named entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698. (2012)

  18. Holz, R., Braun, L., Kammenhuber, N. and Carle, G.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: Proceedings of the 2011 ACM SIGCOMM conference on internet measurement conference, IMC ’11, page 427–444, New York, NY, USA. Association for computing machinery (2011)

  19. https://towardsdatascience.com/bayesian-ranking-system-77818e63b57b

  20. Jenni McKinnon. The Most Popular SSL Certificate Authorities Reviewed. wpmudev. Accessed 20 Mar 2024 (2022)

  21. Kim, D., Cho, H., Kwon, Y., Doup, A., Son, S., Ahn, G.J., Dumitras, T.: Security analysis on practices of certificate authorities in the HTTPS phishing ecosystem. In: Proceedings of the 2021 ACM Asia conference on computer and communications security. ASIA CCS ’21, pp 407–420, New York, NY, USA. Association for Computing Machinery (2021)

  22. Kumar, D., Wang, Z., Hyder, M., Dickinson, J., Beck, G., Adrian, D., Mason, J., Durumeric, Z., Halderman, J.A. and Bailey, M.: Tracking certificate misissuance in the wild. In: IEEE symposium on security and privacy (SP), pp 288–301 (2018)

  23. Larimer, J., Root, K.: Security and privacy in android apps. Accessed 20 March 2024 (2012)

  24. Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962 (2013)

  25. Ma, Z., Mason, J., Patel, S., Antonakakis, M., Raykova, M., Durumeric, Z., Schoppmann, P., Bailey, M., Seth, K., Fahl, S. and Yeo, K.: What’s in a name? Exploring CA certificate control. In 30th USENIX Security Symposium (USENIX Security 21), pp 4383–4400. USENIX Association (2021)

  26. Mark, P.: Best SSL certificate services to buy from in 2024: get the cheapest price today. TechRadar.pro. Accessed 20 Mar 2024. (2024)

  27. Microsoft. Microsoft security advisory 2798897: fraudulent digital certificates could allow spoofing. Microsoft Docs. Accessed 20 March 2024 (2013)

  28. Ness, J.: Flame malware collision attack explained. Microsoft Security Response Center. Accessed 19 Mar 2024 (2012)

  29. Qin, D.G.W., Sujit, U.N., Jie, L., Singh, T.E.J.A.S.W.I.: Vulnerabilities and attacks on PKI. CS2107-Semester IV 2014–2015. Accessed 20 Mar 2024 (2014)

  30. Sharon, B., Stefan, S., Tim P., Russ H., Stephen F., David C.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) Profile. RFC 5280 (2008)

  31. Sharon, B., Stefan, S., Tim, P., Russ, H., Stephen, F., David, C.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (2008)

  32. The ZMap Project. Command line utility for parsing certificates. GitHub. Accessed 18 Mar 2024

  33. W3Techs - Web Techonology Surveys. Usage statistics of SSL certificate authorities for websites. Accessed 20 Mar 2024 (2024)

  34. W3Techs - Web Techonology Surveys. Usage Survey of SSL Certificate Authorities broken down by Ranking. Accessed 20 Mar 2024 (2020)

  35. Wang, Y., Guangquan, X., Liu, X.-T., Mao, W., Si, C., Pedrycz, W., Wang, W.: Identifying vulnerabilities of ssl/tls certificate verification in android apps with static and dynamic analysis. J. Syst. Softw. 167, 110609 (2020)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Technology University of the Punjab, Punjab, Pakistan

    Kashif Junaid & Muhammad Umar Janjua

  2. Qatar University, Doha, Qatar

    Junaid Qadir

Authors
  1. Kashif Junaid
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Muhammad Umar Janjua
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Junaid Qadir
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Kashif Junaid.

Ethics declarations

Conflict of interest

We declare that we have no Conflict of interest that could influence the interpretation or evaluation of the results presented in this manuscript. Conflict of interest include, but are not limited to, financial, personal, or professional relationships that may have influenced the work or could be perceived to have influenced the work.

Ethical standards

This research adheres to the ethical standards and guidelines established by relevant bodies within the web Public Key Infrastructure (PKI) ecosystem. We affirm that the research conducted is in full compliance with the ethical standards and principles outlined in the relevant documents and guidelines within the web PKI, RFC, and CAB Forum guidelines. The ranking is based on purely compliance standards; we did not disclose any CA private information, nor did we disclose any registrant privacy.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Junaid, K., Janjua, M.U. & Qadir, J. A compliance-based ranking of certificate authorities using probabilistic approaches. Int. J. Inf. Secur. 23, 2881–2910 (2024). https://doi.org/10.1007/s10207-024-00867-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-024-00867-3

Keywords