Show simple item record

Server Authentication on the Past, Present, and Future Internet.

dc.contributor.authorKasten Jr., James Douglasen_US
dc.date.accessioned2016-01-13T18:04:01Z
dc.date.availableNO_RESTRICTIONen_US
dc.date.available2016-01-13T18:04:01Z
dc.date.issued2015en_US
dc.date.submitteden_US
dc.identifier.urihttps://hdl.handle.net/2027.42/116632
dc.description.abstractHTTPS is used for nearly all secure web communication, yet very little is known about the security of HTTPS' deployment overall on the Internet. In this work, we elucidate the efficacy of HTTPS' security through Internet-wide scanning and present novel solutions for some of the most critical issues we discover. Our analysis includes the first longitudinal study of the HTTPS ecosystem, and a study of the HTTPS ecosystem during upheaval, including the community's subsequent response. This examination revealed not only the common practices, but also a number of alarming trends. In this thesis, we focus on two of these issues. The first is that the PKI underlying HTTPS has an extremely large attack surface, with 683 organizations able to sign certificates for any domain. The second is that the cost of HTTPS is exorbitant. As evidence, we found that only 12.9% of the Alexa Top 1 Million supported HTTPS and that 55% of servers with browser-trusted certificates are not optimally configured. Furthermore, we find the management of HTTPS is too burdensome. We discover 20% of certificates are removed from servers after they have already expired. In order to address the large attack surface of the PKI, we present CAge. CAge is a technique that can reduce the attack surface of certificate authorities by 90% using simple inference techniques. The key observation is that CAs commonly sign for only a handful of TLDs; in fact, 90% of CAs have signed certificates for domains in fewer than 10 TLDs, and only 35% have ever signed a certificate for a domain in .com. To decrease the cost of HTTPS, we present Let's Encrypt, the first fully automated and free certificate authority. The automation is enabled by a new protocol we developed, ACME, which handles all of a CA's operational duties. We implement client and server ACME software which reduces the time required to deploy HTTPS to 30 seconds. We additionally develop new validation techniques which improve the security of the PKI in general.en_US
dc.language.isoen_USen_US
dc.subjectHTTPSen_US
dc.subjectX.509 certificatesen_US
dc.titleServer Authentication on the Past, Present, and Future Internet.en_US
dc.typeThesisen_US
dc.description.thesisdegreenamePhDen_US
dc.description.thesisdegreedisciplineComputer Science and Engineeringen_US
dc.description.thesisdegreegrantorUniversity of Michigan, Horace H. Rackham School of Graduate Studiesen_US
dc.contributor.committeememberHalderman, J Alexen_US
dc.contributor.committeememberLiu, Mingyanen_US
dc.contributor.committeememberPrakash, Atulen_US
dc.contributor.committeememberMadhyastha, Harshaen_US
dc.subject.hlbsecondlevelComputer Scienceen_US
dc.subject.hlbtoplevelEngineeringen_US
dc.subject.hlbtoplevelScienceen_US
dc.description.bitstreamurlhttp://deepblue.lib.umich.edu/bitstream/2027.42/116632/1/jdkasten_1.pdf
dc.owningcollnameDissertations and Theses (Ph.D. and Master's)


Files in this item

Show simple item record

Remediation of Harmful Language

The University of Michigan Library aims to describe library materials in a way that respects the people and communities who create, use, and are represented in our collections. Report harmful or offensive language in catalog records, finding aids, or elsewhere in our collections anonymously through our metadata feedback form. More information at Remediation of Harmful Language.

Accessibility

If you are unable to use this file in its current format, please select the Contact Us link and we can modify it to make it more accessible to you.