Publications

Abstract

Pouyan Fotouhi Tehrani, Raphael Hiesgen, Teresa Lübeck, Thomas C. Schmidt, Matthias Wählisch,
Do CAA, CT, and DANE Interlink in Certificate Deployments? A Web PKI Measurement Study,
In: Proc. of Network Traffic Measurement and Analysis Conference (TMA), p. 1–11, IEEE Press : Piscataway, NJ, USA, May 2024.
[html][pdf][BibTeX][Abstract]

Abstract: Integrity and trust on the web build on X.509 certificates. Misuse or misissuance of these certificates threaten the Web PKI security model, which led to the development of several guarding techniques. In this paper, we study the DNS/DNSSEC records CAA and TLSA as well as CT logs from the perspective of the certificates in use. Our measurements comprise 4 million popular domains, for which we explore the existence and consistency of the different extensions. Our findings indicate that CAA is almost exclusively deployed in the absence of DNSSEC, while DNSSEC protected service names tend to not use the DNS for guarding certificates. Even though mainly deployed in a formally correct way, CAA CA-strings tend to not selectively separate CAs, and numerous domains hold certificates beyond the CAA semantic. TLSA records are repeatedly poorly maintained and occasionally occur without DNSSEC.

Themes: Network Security , Internet Measurement and Analysis

This page generated by bibTOhtml on Sun 30 Jun 2024 12:05:05 AM UTC

Mo	Tu	We	Th	Fr	Sa	Su
27	28	29	30	31	1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30