Measurement and analysis of private key sharing in the HTTPS ecosystem

Published

Conference Paper

© 2016 Copyright held by the owner/author(s). Publication rights licensed to ACM. The semantics of online authentication in the web are rather straightforward: if Alice has a certificate binding Bob's name to a public key, and if a remote entity can prove knowledge of Bob's private key, then (barring key compromise) that remote entity must be Bob. However, in reality, many websites- and the majority of the most popular ones-are hosted at least in part by third parties such as Content Delivery Networks (CDNs) or web hosting providers. Put simply: administrators of websites who deal with (extremely) sensitive user data are giving their private keys to third parties. Importantly, this sharing of keys is undetectable by most users, and widely unknown even among researchers. In this paper, we perform a large-scale measurement study of key sharing in today's web. We analyze the prevalence with which websites trust third-party hosting providers with their secret keys, as well as the impact that this trust has on responsible key management practices, such as revocation. Our results reveal that key sharing is extremely common, with a small handful of hosting providers having keys from the majority of the most popular websites. We also find that hosting providers often manage their customers' keys, and that they tend to react more slowly yet more thoroughly to compromised or potentially compromised keys.

Full Text

Duke Authors

Cited Authors

  • Cangialosi, F; Chung, T; Choffnes, D; Levin, D; Maggs, BM; Mislove, A; Wilson, C

Published Date

  • October 24, 2016

Published In

Volume / Issue

  • 24-28-October-2016 /

Start / End Page

  • 628 - 640

International Standard Serial Number (ISSN)

  • 1543-7221

International Standard Book Number 13 (ISBN-13)

  • 9781450341394

Digital Object Identifier (DOI)

  • 10.1145/2976749.2978301

Citation Source

  • Scopus