Measuring and applying invalid SSL Certificates: The silent majority

Published

Conference Paper

SSL and TLS are used to secure the most commonly-used Internet protocols. As a result, the ecosystem of SSL certificates has been thoroughly studied, leading to a broad understanding of the strengths and weak-nesses of the certificates accepted by most web browsers. Prior work has naturally focused almost exclusively on "valid" certificates|those that standard browsers ac-cept as well-formed and trusted|and has largely disre-garded certificates that are otherwise \invalid." Surpris-ingly, however, this leaves the majority of certificates unexamined: we find that, on average, 65% of SSL cer-tificates advertised in each IPv4 scan that we examine are actually invalid. In this paper, we demonstrate that despite their inva-lidity, much can be understood from these certificates. Specifically, we show why the web's SSL ecosystem is populated by so many invalid certificates, where they originate from, and how they impact security. Using a dataset of over 80M certificates, we determine that most invalid certificates originate from a few types of end-user devices, and possess dramatically different proper-ties than their valid counterparts. We find that many of these devices periodically reissue their (invalid) certificates, and develop new techniques that allow us to track these reissues across scans. We present evidence that this technique allows us to uniquely track over 6.7M de-vices. Taken together, our results open up a heretofore largely-ignored portion of the SSL ecosystem to further study.

Full Text

Duke Authors

Cited Authors

  • Chung, T; Liu, Y; Choffnes, D; Levin, D; Maggs, BM; Mislove, A; Wilson, C

Published Date

  • November 14, 2016

Published In

  • Proceedings of the Acm Sigcomm Internet Measurement Conference, Imc

Volume / Issue

  • 14-16-November-2016 /

Start / End Page

  • 527 - 541

International Standard Book Number 13 (ISBN-13)

  • 9781450345262

Digital Object Identifier (DOI)

  • 10.1145/2987443.2987454

Citation Source

  • Scopus