Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild...
Transcript of Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild...
![Page 1: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/1.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Tracking Certificate Misissuance in the WildDeepak Kumar
University of IllinoisZhengping Wang
University of IllinoisMatthew Hyder
University of Illinois
Joseph Dickinson University of Illinois
Gabrielle BeckUniversity of Michigan
David Adrian University of Michigan
ZMap Durumeric University of Illinois
University of MichiganStanford University
1
Joshua Mason University of Illinois
J. Alex Halderman University of Michigan
Michael Bailey University of Illinois
![Page 2: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/2.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
HTTPS relies on a supporting Public Key Infrastructure (PKI) composed of hundreds of Certificate Authorities (CAs)
2
![Page 3: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/3.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar3
![Page 4: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/4.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
CA/Browser Forum Baseline Requirements: CA must follow these to be browser trusted
4
![Page 5: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/5.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar5
![Page 6: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/6.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar6
![Page 7: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/7.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar7
![Page 8: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/8.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar8
![Page 9: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/9.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
“It's 2017 - it's both time to stop making excuses and time to recognize that the
ability of CAs to adhere to the rules is core to their trustworthiness. Technical rules are but a proxy for procedure rules.” - Ryan Sleevi
9
![Page 10: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/10.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
ZLint: An X.509 Certificate Linter
• Codifies RFC 2119 rules in both RFC 5280 and the CA/Browser Forum Baseline Requirements
• “Certificates MUST be of type X.509 v3”
• “…this extension SHOULD be included in all end entity certificates.”
10
![Page 11: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/11.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
ZLint: An X.509 Certificate Linter
• Codifies RFC 2119 rules in both RFC 5280 and the CA/Browser Forum Baseline Requirements
• “Certificates MUST be of type X.509 v3”
• “…the subject key identifier extension SHOULD be included in all end entity certificates.”
11
![Page 12: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/12.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar12
• Written in Go
• Contains 220 lints
• 95% coverage of Baseline Requirements
• 90% coverage of RFC 5280
ZLint: An X.509 Certificate Linter
![Page 13: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/13.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Lint Severity Levels• ZLint encodes severity levels corresponding to different kinds of
clauses
• Error: Violation of a MUST clause
• “Certificates MUST be of type X.509 v3”
• Warning: Violation of a SHOULD clause
• “…the subject key identifier extension SHOULD be included in all end entity certificates.”
13
![Page 14: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/14.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Lint Severity Levels• ZLint encodes severity levels corresponding to different kinds of
clauses
• Error: Violation of a MUST clause
• “Certificates MUST be of type X.509 v3”
• Warning: Violation of a SHOULD clause
• “…the subject key identifier extension SHOULD be included in all end entity certificates.”
14
![Page 15: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/15.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Lint Severity Levels• ZLint encodes severity levels corresponding to different kinds of
clauses
• Error: Violation of a MUST clause
• “Certificates MUST be of type X.509 v3”
• Warning: Violation of a SHOULD clause
• “…the subject key identifier extension SHOULD be included in all end entity certificates.”
15
![Page 16: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/16.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
How prevalent is certificate misissuance?
16
![Page 17: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/17.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Collecting Certificates
• Ran ZLint over all certificates in Censys through July 2017
• Analyzed those that chained to a root in NSS
• 61M non-expired certificates
• 171M total certificates
17
![Page 18: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/18.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Collecting Certificates
• Ran ZLint over all certificates in Censys through July 2017
• Analyzed those that chained to a root in NSS
• 61M non-expired certificates
• 171M total certificates
18
![Page 19: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/19.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Collecting Certificates
• Ran ZLint over all certificates in Censys through July 2017
• Analyzed those that chained to a root in NSS
• 61M non-expired certificates
• 171M total certificates
19
![Page 20: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/20.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar20
Historical Misissuance
0
5
10
15
20
25
30
35
40
20092010
20112012
20132014
20152016
2017
Perc
ent c
erts
issu
ed
Date
ErrorsWarnings
![Page 21: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/21.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar21
Historical Misissuance
0
5
10
15
20
25
30
35
40
20092010
20112012
20132014
20152016
2017
Perc
ent c
erts
issu
ed
Date
ErrorsWarnings
![Page 22: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/22.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar22
Historical Misissuance
0
5
10
15
20
25
30
35
40
20092010
20112012
20132014
20152016
2017
Perc
ent c
erts
issu
ed
Date
ErrorsWarnings CA/Browser Forum
Baseline Requirements
![Page 23: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/23.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar23
Historical Misissuance
0
5
10
15
20
25
30
35
40
20092010
20112012
20132014
20152016
2017
Perc
ent c
erts
issu
ed
Date
ErrorsWarnings Certificate
Transparency
![Page 24: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/24.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar24
Historical Misissuance
0
5
10
15
20
25
30
35
40
20092010
20112012
20132014
20152016
2017
Perc
ent c
erts
issu
ed
Date
ErrorsWarnings MDSP Discussions
Increase
![Page 25: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/25.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar25
Historical Misissuance
0
5
10
15
20
25
30
35
40
20092010
20112012
20132014
20152016
2017
Perc
ent c
erts
issu
ed
Date
ErrorsWarnings
![Page 26: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/26.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar26
Historical Misissuance
0
5
10
15
20
25
30
35
40
20092010
20112012
20132014
20152016
2017
Perc
ent c
erts
issu
ed
Date
ErrorsWarnings
WoSign, Symantec,are slated to be
distrusted
![Page 27: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/27.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar27
Historical Misissuance
0
5
10
15
20
25
30
35
40
20092010
20112012
20132014
20152016
2017
Perc
ent c
erts
issu
ed
Date
ErrorsWarnings
WoSign and Symantec misissued at a rate 2 - 8x worse than the rest of the ecosystem
WoSign, Symantec,are slated to be
distrusted
![Page 28: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/28.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar28
Issuer Certificates w/ Errors
GoDaddy 1.6M (2.7%) 38,215 (2.4%)
Symantec 2.7M (4.6%) 23,053 (0.8%)
StartCom, Ltd. 536K (0.9%) 11,617 (2.1%)
WoSign CA Lmtd. 196K (0.3%) 9,849 (5%)
VeriSign 43K (0.07%) 9,835 (23.1%)
Largest Misissuers
![Page 29: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/29.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar29
Issuer Certificates w/ Errors
GoDaddy 1.6M (2.7%) 38,215 (2.4%)
Symantec 2.7M (4.6%) 23,053 (0.8%)
StartCom, Ltd. 536K (0.9%) 11,617 (2.1%)
WoSign CA Lmtd. 196K (0.3%) 9,849 (5%)
VeriSign 43K (0.07%) 9,835 (23.1%)
Largest Misissuers
![Page 30: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/30.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar30
Issuer Certificates w/ Errors
GoDaddy 1.6M (2.7%) 38,215 (2.4%)
Symantec 2.7M (4.6%) 23,053 (0.8%)
StartCom, Ltd. 536K (0.9%) 11,617 (2.1%)
WoSign CA Lmtd. 196K (0.3%) 9,849 (5%)
VeriSign 43K (0.07%) 9,835 (23.1%)
Largest Misissuers
Browsers are taking down the largest offenders
![Page 31: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/31.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar31
Historical Misissuance
0
5
10
15
20
25
30
35
40
20092010
20112012
20132014
20152016
2017
Perc
ent c
erts
issu
ed
Date
ErrorsWarnings
![Page 32: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/32.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar32
Issuer Certificates w/ Errors
Let’s Encrypt 37M (61%) 13 (0.0%)
Comodo 6.7M (11%) 3,219 (0.0%)
cPanel 4.7M (7.8%) 131 (0.0%)
Symantec 2.8M (4.6%) 23,053 (0.8%)
GeoTrust, Inc. 1.9M (3.2%) 5,694 (0.3%)
GoDaddy 1.6M (2.7%) 38,215 (2.0%)
GlobalSign 1.2M (1.9%) 837 (0.0%)
Misissuance by Largest Issuers
![Page 33: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/33.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar33
Issuer Certificates w/ Errors
Let’s Encrypt 37M (61%) 13 (0.0%)
Comodo 6.7M (11%) 3,219 (0.0%)
cPanel 4.7M (7.8%) 131 (0.0%)
Symantec 2.8M (4.6%) 23,053 (0.8%)
GeoTrust, Inc. 1.9M (3.2%) 5,694 (0.3%)
GoDaddy 1.6M (2.7%) 38,215 (2.0%)
GlobalSign 1.2M (1.9%) 837 (0.0%)
Misissuance by Largest Issuers
![Page 34: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/34.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar34
Issuer Certificates w/ Errors
Let’s Encrypt 37M (61%) 13 (0.0%)
Comodo 6.7M (11%) 3,219 (0.0%)
cPanel 4.7M (7.8%) 131 (0.0%)
Symantec 2.8M (4.6%) 23,053 (0.8%)
GeoTrust, Inc. 1.9M (3.2%) 5,694 (0.3%)
GoDaddy 1.6M (2.7%) 38,215 (2.0%)
GlobalSign 1.2M (1.9%) 837 (0.0%)
Misissuance by Largest Issuers
![Page 35: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/35.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar35
Issuer Certificates w/ Errors
Let’s Encrypt 37M (61%) 13 (0.0%)
Comodo 6.7M (11%) 3,219 (0.0%)
cPanel 4.7M (7.8%) 131 (0.0%)
Symantec 2.8M (4.6%) 23,053 (0.8%)
GeoTrust, Inc. 1.9M (3.2%) 5,694 (0.3%)
GoDaddy 1.6M (2.7%) 38,215 (2.0%)
GlobalSign 1.2M (1.9%) 837 (0.0%)
Misissuance by Largest Issuers
Large CAs misissue a small fraction of their
certificates
![Page 36: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/36.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar36
![Page 37: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/37.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
The Problem with Small CAs
• Browsers are taking action against big, obvious players
• Smaller problematic CAs are “hiding in obscurity”
• PROCERT is a notable counter-example
• If PROCERT gets the boot, at least 17 others should go too!
37
![Page 38: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/38.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
The Problem with Small CAs
• Browsers are taking action against big, obvious players
• Smaller problematic CAs are “hiding in obscurity”
• PROCERT is a notable counter-example
• 39 issued certificates, 100% misissuance
• If PROCERT gets the boot, at least 17 others should go too!
38
![Page 39: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/39.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
The Problem with Small CAs
• Browsers are taking action against big, obvious players
• Smaller problematic CAs are “hiding in obscurity”
• PROCERT is a notable counter-example
• 39 issued certificates, 100% misissuance
• If PROCERT gets the boot, at least 17 others should go too!
39
![Page 40: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/40.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
“It's 2017 - it's both time to stop making excuses and time to recognize that the
ability of CAs to adhere to the rules is core to their trustworthiness. Technical rules are
but a proxy for procedure rules.”
40
![Page 41: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/41.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Is certificate misissuance correlated with other
mismanagement?
41
![Page 42: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/42.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
CA Management: Revocation
• OCSP Responders
• CRLs
Strict rules associated with revocation service response times
42
![Page 43: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/43.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
CA Revocation Measurement
43
• Made a valid OCSP, CRL request to all responders every hour from Sept 1 - 20, 2017
• Most responders follow 10s rule, but long tail
• 53 OCSP responders worst case >10s
• 2 CRL distribution points worst case >10s
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
10 100 1000 10000
CDF
Avg
Look
up T
ime
Response Time (ms)
OCSP Time to RespondCRL Time to Response
![Page 44: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/44.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
CA Revocation Measurement
44
• Made a valid OCSP, CRL request to all responders every hour from Sept 1 - 20, 2017
• Most responders follow 10s rule, but long tail
• 53 OCSP responders worst case >10s
• 2 CRL distribution points worst case >10s
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1
10 100 1000 10000
CDF
Avg
Look
up T
ime
Response Time (ms)
OCSP Time to RespondCRL Time to Response
![Page 45: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/45.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Correlating ZLint with Mismanagement
45
Errors Warnings
OCSP Responders 0.10 (p-value: < 0.01) 0.19 (p-value: < 0.01)
CRL Distribution Points 0.07 (p-value: 0.01) 0.17 (p-value: < 0.01)
![Page 46: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/46.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Correlating ZLint with Mismanagement
46
Errors Warnings
OCSP Responders 0.10 (p-value: < 0.01) 0.19 (p-value: < 0.01)
CRL Distribution Points 0.07 (p-value: 0.01) 0.17 (p-value: < 0.01)
![Page 47: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/47.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar47
ZLint is Open Sourcecode: https://github.com/zmap/zlint
certificates: Available through Censys
![Page 48: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/48.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar48
ZLint is Deployedcode: https://github.com/zmap/zlint
certificates: Available through Censys
![Page 49: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/49.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar49
ZLint will be Deployedcode: https://github.com/zmap/zlint
certificates: Available through Censys
![Page 50: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/50.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Moving Forward
50
• PKI community is using ZLint to focus removal investigations
• We need a systematic way to identify who to trust in the ecosystem
• ZLint enables monitoring of the certificate misissuance ecosystem
• We still need tools to measure other forms of mismanagement
• As new rules are ratified, we need to be watching
![Page 51: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/51.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Moving Forward
51
• PKI community is using ZLint to focus removal investigations
• We should consider if small, regularly offending CAs are worth our trust
• ZLint enables monitoring of the certificate misissuance ecosystem
• We still need tools to measure other forms of mismanagement
• As new rules are ratified, we need to be watching
![Page 52: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/52.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Moving Forward
52
• PKI community is using ZLint to focus removal investigations
• We should consider if small, regularly offending CAs are worth our trust
• ZLint enables monitoring of the certificate misissuance ecosystem
• We still need tools to measure other forms of mismanagement
• As new rules are ratified, we need to be watching
![Page 53: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/53.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Moving Forward
53
• PKI community is using ZLint to focus removal investigations
• We should consider if small, regularly offending CAs are worth our trust
• ZLint enables monitoring of the certificate misissuance ecosystem
• We still need tools to measure other forms of mismanagement
• As new rules are ratified, we need to be watching
![Page 54: Tracking Certificate Misissuance in the Wild - …Tracking Certificate Misissuance in the Wild Deepak Kumar “It's 2017 - it's both time to stop making excuses and time to recognize](https://reader033.fdocuments.net/reader033/viewer/2022060316/5f0c26347e708231d433fb26/html5/thumbnails/54.jpg)
Tracking Certificate Misissuance in the Wild ▪︎ Deepak Kumar
Moving Forward
54
• PKI community is using ZLint to focus removal investigations
• We should consider if small, regularly offending CAs are worth our trust
• ZLint enables monitoring of the certificate misissuance ecosystem
• We still need tools to measure other forms of mismanagement
• As new rules are ratified, we need to be watching
@_kumarde