Server-side Adoption of Certificate Transparency

Carl Nykvist, Linus Sjostrom, Josef Gustafsson, and Niklas Carlsson

Paper: Carl Nykvist, Linus Sjostrom, Josef Gustafsson, and Niklas Carlsson, "Server-side Adoption of Certificate Transparency", Proc. Passive and Active Measurement Conference (PAM), Berlin, Germany, Mar. 2018. (pdf)

Abstract: Certificate Transparency (CT) was developed to mitigate shortcomings in the TLS/SSL landscape and to assess the trustworthiness of Certificate Authorities (CAs) and the certificates they create. With CT, certificates should be logged in public, audible, append-only CT logs and servers should provide clients (browsers) evidence, in the form of Signed Certificate Timestamps (SCTs), that the certificates that they present have been logged in credible CT logs. These SCTs can be delivered using three different methods: (i) X.509v3 extension, (ii) TLS extension, and (iii) OSCP stapling. In this paper, we develop a measurement tool to capture the TLS communication of a client that implements all three methods and use the tool to analyze the SCT adoption among the one-million most popular web domains. Using two snapshots (from May and Oct. 2017), we answer a wide range of questions related to the delivery choices made by different domains, identify differences in the certificates used by these domains, the CT logs they use, and characterize the potential overheads of the SCT delivery methods and their potential performance impact. By highlighting some of the tradeoffs between the methods and differences in the websites selecting them, we provide insights into the current SCT adoption status and differences in how domains have gone upon adopting this new technology.

Software and datasets

Note: If you use our datafiles and/or software in your research, please include a reference to our PAM 2018 paper (pdf) in your work.