Human and Organizational Factors in Public Key Certificate Authority Failures
Authors: 
Skyler Johnson, Katherine Ferro, L. Jean Camp, and Hilda HadanAuthors Info & Claims
Skyler Johnson, Katherine Ferro, L. Jean Camp, and Hilda HadanAuthors Info & ClaimsNovember 2021
Pages 2414 - 2416
Abstract
Public Key Infrastructure (PKI) is the foundation of secure and trusted transactions across the Internet. Public key certificates are issued and validated by Certificate Authorities (CAs), which have their trust-of-anchor certificates in Root Program Operators' stores. These CAs provide certificates that attest to the integrity of the ownership of domain names on the web and enable secure communications. Each year hundreds of certificates are by these verified and trusted Certificate Authorities issued in error. In this research, we complied and classified certificate incident reports documented on Bugzilla, a web-based bug tracking system where such instances are reported. We focus on the 210 incident reports from the last year; we compare this pandemic period to trends from previous years. Our data show that the frequency of Certificate Authority non-compliance is a consistence source of vulnerability in the PKI ecosystem. The evaluation of reasons for the misissuance illustrate the role of one-off human failures, systematic interaction flaws leading to repeated incidents, and evidence of perverse incentives leading to misissuance.
References
[1]
Yasemin Acar, Sascha Fahl, and Michelle L Mazurek. 2016. You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users. In 2016 IEEE Cybersecurity Development (SecDev). IEEE, 3--8.
[2]
Bonnie Brinton Anderson, C Brock Kirwan, Jeffrey L Jenkins, David Eargle, Seth Howard, and Anthony Vance. 2015. How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. 2883--2892.
[3]
Antoine Delignat-Lavaud, Martin Abadí, Matthew Birrell, Ilya Mironov, Ted Wobber, and Yinglian Xie. 2014. Web PKI: Closing the Gap between Guidelines and Practices. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS '14). http://antoine.delignat-lavaud.fr/doc/ndss14.pdf
[4]
Zheng Dong, Kevin Kane, and L. Jean Camp. 2016. Detection of Rogue Certificates from Trusted Certificate Authorities Using Deep Neural Networks. ACM Transactions on Privacy and Security 19, 2 (Sep 2016), 1--31.
[5]
Oliver Gasser, Benjamin Hof, Max Helm, Maciej Korczynski, Ralph Holz, and Georg Carle. 2018. In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements. In Passive and Active Measurement. Springer International Publishing, 173--185.
[6]
Hilda Hadan, Nicolas Serrano, Sanchari Das, and L Jean Camp. 2019. Making IoT Worthy of Human Trust. Available at SSRN 3426871 (2019).
[7]
Michael P. Heinl, Alexander Giehl, Norbert Wiedermann, Sven Plaga, and Frank Kargl. 2019. MERCAT: A Metric for the Evaluation and Reconsideration of Certificate Authority Trustworthiness. In Proceedings of the 2019 ACM SIGSAC Conference on Cloud Computing Security Workshop (London, United Kingdom) (CCSW'19). Association for Computing Machinery, New York, NY, USA, 1--15. https://doi.org/10.1145/3338466.3358917
[8]
Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2012. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In Presented as part of the 21st USENIX Security Symposium (USENIX Security . USENIX, Bellevue, WA, 205--220. https://www.usenix.org/conference/ usenixsecurity12/technical-sessions/presentation/heninger
[9]
Katiana Krawchenko. 2016. The Phishing Email That Hacked the Account of John Podesta. https://www.cbsnews.com/news/the-phishing-email-that-hackedthe- account-of-john-podesta/.
[10]
Katharina Krombholz, Karoline Busse, Katharina Pfeffer, Matthew Smith, and Emanuel von Zezschwitz. 2019. "If HTTPS Were Secure, I Wouldn't Need 2FA" - End User and Administrator Mental Models of HTTPS. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 246--263.
[11]
Deepak Kumar, Zhengping Wang, Matthew Hyder, Joseph Dickinson, Gabrielle Beck, David Adrian, Joshua Mason, Zakir Durumeric, J. Alex Halderman, and Michael Bailey. 2018. Tracking Certificate Misissuance in the Wild. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE.
[12]
Adam Langley. 2014. Apple's SSL/TLS Bug. https://www.imperialviolet.org/2014/ 02/22/applebug.html.
[13]
Microsoft. 2020. CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE- 2020-0601.
[14]
RobertW. Reeder, Adrienne Porter Felt, Sunny Consolvo, Nathan Malkin, Christopher Thompson, and Serge Egelman. 2018. An Experience Sampling Study of User Reactions to Browser Warnings in the Field. In CHI Systems. ACM, New York, NY, USA.
[15]
Johnny Saldana. 2017. The coding manual for qualitative researchers. Qualitative research in organizations and management: an international journal (2017).
[16]
Synopsys Editorial Team. 2014. Understanding the Apple 'goto fail;' Vulnerability. https://www.synopsys.com/blogs/software-security/understanding-applegoto- fail-vulnerability-2/.
[17]
David A. Wheeler. 2017. The Apple Goto Fail Vulnerability: Lessons Learned. https://dwheeler.com/essays/apple-goto-fail.html.
Index Terms
- Human and Organizational Factors in Public Key Certificate Authority Failures
Recommendations
Certificate revocation release policies
Public key infrastructure provides a promising foundation for verifying the authenticity of communicating parties and transferring trust over the Internet. The key issue in public key infrastructure is how to process certificate revocations. Previous ...
Developing a public key infrastructure for use in a teaching laboratory
CITC4 '03: Proceedings of the 4th conference on Information technology curriculumFounded on the principle of easy information interchange the Internet is an inherently unsafe communication medium. Despite this inherent insecurity electronic mail continues to grow as a key communication technology. Individuals and businesses both ...
Impact of post-quantum hybrid certificates on PKI, common libraries, and protocols
In this work, we assessed the impact of post-quantum (PQ) cryptography on public key infrastructure (PKI). First, we modified a commercially available certification authority (CA) to issue 'hybrid' certificates (X.509 certificates with PQ extensions). ...
Comments
Information & Contributors
Information
Published In
November 2021
3558 pages
ISBN:9781450384544
DOI:10.1145/3460120
- General Chairs:
- Yongdae Kim,
- Jong Kim,
- Program Chairs:
- Giovanni Vigna,
- Elaine Shi
Copyright © 2021 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 November 2021
Check for updates
Author Tags
Qualifiers
- Poster
Funding Sources
Conference
CCS '21
Sponsor:
CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security
November 15 - 19, 2021
Virtual Event, Republic of Korea
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '24
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 296Total Downloads
- Downloads (Last 12 months)112
- Downloads (Last 6 weeks)4
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in