Server-side Adoption of Certificate Transparency
Carl Nykvist, Linus Sjostrom, Josef Gustafsson, and Niklas Carlsson
Paper:
Carl Nykvist, Linus Sjostrom, Josef Gustafsson, and Niklas Carlsson,
"Server-side Adoption of Certificate Transparency",
Proc. Passive and Active Measurement Conference (PAM),
Berlin, Germany, Mar. 2018.
(pdf)
Abstract:
Certificate Transparency (CT) was developed to mitigate
shortcomings in the TLS/SSL landscape and to assess the trustworthiness
of Certificate Authorities (CAs) and the certificates they create.
With CT, certificates should be logged in public, audible, append-only
CT logs and servers should provide clients (browsers) evidence, in the
form of Signed Certificate Timestamps (SCTs), that the certificates that
they present have been logged in credible CT logs. These SCTs can be
delivered using three different methods: (i) X.509v3 extension, (ii) TLS
extension, and (iii) OSCP stapling. In this paper, we develop a measurement
tool to capture the TLS communication of a client that implements
all three methods and use the tool to analyze the SCT adoption among
the one-million most popular web domains. Using two snapshots (from
May and Oct. 2017), we answer a wide range of questions related to the
delivery choices made by different domains, identify differences in the
certificates used by these domains, the CT logs they use, and characterize
the potential overheads of the SCT delivery methods and their
potential performance impact. By highlighting some of the tradeoffs between
the methods and differences in the websites selecting them, we
provide insights into the current SCT adoption status and differences in
how domains have gone upon adopting this new technology.
Software and datasets
-
Sotware:
The software and code used in our paper will be made available
here (4.44 MB)
for use by the wider research community.
(The file contains commented source codes and a
README file which should help in getting started with the files.)
-
Datasets:
Add datasets and a description of the fields (for both May 2017 and Oct 2017).
Note: If you use our datafiles and/or software in your research,
please include a reference to our PAM 2018 paper
(pdf) in your work.