Measurement and Analysis of Automated Certificate Reissuance

Olamide Omolola*, Richard Roberts, Ishtiaq Ashiq, Taejoong Chung, Dave Levin, Alan Mislove

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference paper

Abstract

The Transport Layer Security (TLS) Public Key Infrastructure (PKI) is essential to the security and privacy of users on the Internet. Despite its importance, prior work from the mid-2010s has shown that mismanagement of the TLS PKI often led to weakened security guarantees, such as compromised certificates going unrevoked and many internet devices generating self-signed certificates. Many of these problems can be traced to manual processes that were the only option at the time. However, in the intervening years, the TLS PKI has undergone several changes: once-expensive TLS certificates are now freely available, and they can be obtained and reissued via automated programs.

In this paper, we examine whether these changes to the TLS PKI have led to improvements in the PKI’s management. We collect data on all certificates issued by Let’s Encrypt (now the largest certificate authority by far) over the past four years. Our analysis focuses on two key questions: First, are administrators making proper use of the automation that modern CAs provide for certificate reissuance? We find that for certificates with a sufficiently long history of being reissued, 80% of them did reissue their certificates on a predictable schedule, suggesting that the remaining 20% may use manual processes to reissue, despite numerous automated tools for doing so. Second, do administrators that use automated CAs react to large-scale compromises more responsibly? To answer this, we use a recent Let’s Encrypt misissuance bug as a natural experiment, and find that a significantly larger fraction of administrators reissued their certificates in a timely fashion compared to previous bugs.
Original languageEnglish
Title of host publicationPassive and Active Measurement - 22nd International Conference, PAM 2021, Proceedings
EditorsOliver Hohlfeld, Andra Lutu, Dave Levin
PublisherSpringer
Pages161-174
Number of pages14
ISBN (Print)978-3-030-72581-5
DOIs
Publication statusPublished - 2021
Externally publishedYes
Event2021 International Conference on Passive and Active Network Measurement: PAM 2021 - Virtuell, Germany
Duration: 29 Mar 202131 Mar 2021

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12671 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference2021 International Conference on Passive and Active Network Measurement
CountryGermany
CityVirtuell
Period29/03/2131/03/21

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint

Dive into the research topics of 'Measurement and Analysis of Automated Certificate Reissuance'. Together they form a unique fingerprint.

Cite this