Server Authentication on the Past, Present, and Future Internet.
dc.contributor.author | Kasten Jr., James Douglas | en_US |
dc.date.accessioned | 2016-01-13T18:04:01Z | |
dc.date.available | NO_RESTRICTION | en_US |
dc.date.available | 2016-01-13T18:04:01Z | |
dc.date.issued | 2015 | en_US |
dc.date.submitted | en_US | |
dc.identifier.uri | https://hdl.handle.net/2027.42/116632 | |
dc.description.abstract | HTTPS is used for nearly all secure web communication, yet very little is known about the security of HTTPS' deployment overall on the Internet. In this work, we elucidate the efficacy of HTTPS' security through Internet-wide scanning and present novel solutions for some of the most critical issues we discover. Our analysis includes the first longitudinal study of the HTTPS ecosystem, and a study of the HTTPS ecosystem during upheaval, including the community's subsequent response. This examination revealed not only the common practices, but also a number of alarming trends. In this thesis, we focus on two of these issues. The first is that the PKI underlying HTTPS has an extremely large attack surface, with 683 organizations able to sign certificates for any domain. The second is that the cost of HTTPS is exorbitant. As evidence, we found that only 12.9% of the Alexa Top 1 Million supported HTTPS and that 55% of servers with browser-trusted certificates are not optimally configured. Furthermore, we find the management of HTTPS is too burdensome. We discover 20% of certificates are removed from servers after they have already expired. In order to address the large attack surface of the PKI, we present CAge. CAge is a technique that can reduce the attack surface of certificate authorities by 90% using simple inference techniques. The key observation is that CAs commonly sign for only a handful of TLDs; in fact, 90% of CAs have signed certificates for domains in fewer than 10 TLDs, and only 35% have ever signed a certificate for a domain in .com. To decrease the cost of HTTPS, we present Let's Encrypt, the first fully automated and free certificate authority. The automation is enabled by a new protocol we developed, ACME, which handles all of a CA's operational duties. We implement client and server ACME software which reduces the time required to deploy HTTPS to 30 seconds. We additionally develop new validation techniques which improve the security of the PKI in general. | en_US |
dc.language.iso | en_US | en_US |
dc.subject | HTTPS | en_US |
dc.subject | X.509 certificates | en_US |
dc.title | Server Authentication on the Past, Present, and Future Internet. | en_US |
dc.type | Thesis | en_US |
dc.description.thesisdegreename | PhD | en_US |
dc.description.thesisdegreediscipline | Computer Science and Engineering | en_US |
dc.description.thesisdegreegrantor | University of Michigan, Horace H. Rackham School of Graduate Studies | en_US |
dc.contributor.committeemember | Halderman, J Alex | en_US |
dc.contributor.committeemember | Liu, Mingyan | en_US |
dc.contributor.committeemember | Prakash, Atul | en_US |
dc.contributor.committeemember | Madhyastha, Harsha | en_US |
dc.subject.hlbsecondlevel | Computer Science | en_US |
dc.subject.hlbtoplevel | Engineering | en_US |
dc.subject.hlbtoplevel | Science | en_US |
dc.description.bitstreamurl | http://deepblue.lib.umich.edu/bitstream/2027.42/116632/1/jdkasten_1.pdf | |
dc.owningcollname | Dissertations and Theses (Ph.D. and Master's) |
Files in this item
Remediation of Harmful Language
The University of Michigan Library aims to describe library materials in a way that respects the people and communities who create, use, and are represented in our collections. Report harmful or offensive language in catalog records, finding aids, or elsewhere in our collections anonymously through our metadata feedback form. More information at Remediation of Harmful Language.
Accessibility
If you are unable to use this file in its current format, please select the Contact Us link and we can modify it to make it more accessible to you.