measuring adoption of security additions to the https
play

Measuring Adoption of Security Additions to the HTTPS Ecosystem - PowerPoint PPT Presentation

Mar 01, 2023 •192 likes •303 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018 Applied Networking Research Workshop (ANRW)

  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Measuring Adoption of Security Additions to the HTTPS Ecosystem Quirin Scheitle July 16, 2018 Applied Networking Research Workshop (ANRW) Montreal Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. Covering Publications This presentation is based on the following publications: Mission Accomplished? HTTPS Security after DigiNotar Johanna Amann*, Oliver Gasser*, Quirin Scheitle*, Lexi Brent, Georg Carle, Ralph Holz Proceedings of the Internet Measurement Conference (IMC 2017), London, UK, Nov. 2017 A First Look at Certification Authority Authorization (CAA) Quirin Scheitle, Taejoong Chung, Jens Hiller, Oliver Gasser, Johannes Naab, Roland van Rijswijk-Deij, Oliver Hohlfeld, Ralph Holz, Dave Choffnes, Alan Mislove, Georg Carle ACM SIGCOMM Computer Communications Review (CCR), Apr. 2018 Quirin Scheitle — Measuring Adoption of Security Additions to the HTTPS Ecosystem 2

  3. Introduction The HTTPS ecosystem has seen the addition of various security extensions over the past decade, most standardized at IETF. This body of work aims to assess the quality and quantity of adoption of these security extensions in the Internet, using active and passive measurements, and controlled experiments. Highlights in measurements methodology: • 192M domains scanned from 2 vantage points, using IPv4 and IPv6 • Large target population avoids bias from, e.g. , top lists • Passive observations on 3 continents, observing 2.4bn TLS connections Quirin Scheitle — Measuring Adoption of Security Additions to the HTTPS Ecosystem 3

  4. Deployment of HTTPS Security Extensions Mechanism Standard- Deployment Effort Availability ized Overall Top 10K ↓ Risk SCSV 2015 49.2M 6789 none low CT-x509 2013 7.0M 1788 none none HSTS 2012 0.9M 349 low low CT-TLS 2013 27,759 171 high none HPKP 2015 6616 156 high high HPKP PL. 2012 479 150 high high HSTS PL. 2012 23,539 144 medium medium CAA 2013 3057 20 medium low TLSA 2012 973 3 high medium CT-OCSP 2013 191 0 low none • High risk and high effort extensions see low deployment • Highest deployment for technologies without configuration effort: SCSV (software update), CT-x509 (automatically included in certificate) Quirin Scheitle — Measuring Adoption of Security Additions to the HTTPS Ecosystem 4

  5. Deployment of HTTPS Security Extensions Mechanism Standard- Deployment Effort Availability ized Overall Top 10K ↓ Risk SCSV 2015 49.2M 6789 none low CT-x509 2013 7.0M 1788 none none HSTS 2012 0.9M 349 low low CT-TLS 2013 27,759 171 high none HPKP 2015 6616 156 high high HPKP PL. 2012 479 150 high high HSTS PL. 2012 23,539 144 medium medium CAA 2013 3057 20 medium low TLSA 2012 973 3 high medium CT-OCSP 2013 191 0 low none • High risk and high effort extensions see low deployment • Highest deployment for technologies without configuration effort: SCSV (software update), CT-x509 (automatically included in certificate) Quirin Scheitle — Measuring Adoption of Security Additions to the HTTPS Ecosystem 5

  6. Certification Authority Authorization (CAA) - Introduction Domain Type Flags Tag Value tum.de CAA 0 issue "letsencrypt.org" tum.de CAA 0 issue "pki.dfn.de" Table 1: Exemplary CAA section of DNS zone file • Controlled Experiment: Assess CA rigor • Assess Market Adoption • Role of DNS Providers Quirin Scheitle — Measuring Adoption of Security Additions to the HTTPS Ecosystem 6

  7. Certification Authority Authorization (CAA) - Issuance Experiment We conduct two rounds of tests, 1 month apart, so CAs have opportunity to fix. Quirin Scheitle — Measuring Adoption of Security Additions to the HTTPS Ecosystem 7

  8. Certification Authority Authorization (CAA) - Issuance Experiment Quirin Scheitle — Measuring Adoption of Security Additions to the HTTPS Ecosystem 8

  9. Certification Authority Authorization (CAA) - Market Adoption Large-Scale Active DNS Scans, configurable live view: https://caastudy.github.io Quirin Scheitle — Measuring Adoption of Security Additions to the HTTPS Ecosystem 9

  10. Certification Authority Authorization (CAA) - DNS Provider Support These top 31 DNS providers covered 54% of the com/net/org domains. Quirin Scheitle — Measuring Adoption of Security Additions to the HTTPS Ecosystem 10

  11. Summary • HTTPS security extensions differ vastly in scope and deployment • Low risk and effort technologies are much more widely deployed • CAA: Mixed CA rigor, encouraging market adoption, DNS provider support as a critical factor • Data, software, and tools are publicly available: https://github.com/tumi8/imc17-missionaccomplished https://caastudy.github.io Quirin Scheitle — Measuring Adoption of Security Additions to the HTTPS Ecosystem 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington

525 views • 18 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington Presented

504 views • 29 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Qualifying Evaluation Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla University of Washington Understanding Web Communication Browse to www.cutepuppies.ext (

806 views • 42 slides
4. Web Security - Measuring and Analyzing Search Engine Poisoning of Linguistic Collisions,

4. Web Security - Measuring and Analyzing Search Engine Poisoning of Linguistic Collisions,

All papers can be found by Google Scholar. For those papers accepted by S&P 2019, you can download them from this website: https://www.ieee- security.org/TC/SP2019/program-papers.html The below papers are published in the top security

290 views • 5 slides
Adoption and Adaptation Making technology work for us https://flic.kr/p/odhWZ8 From the

Adoption and Adaptation Making technology work for us https://flic.kr/p/odhWZ8 From the

Adoption and Adaptation Making technology work for us https://flic.kr/p/odhWZ8 From the Internet Archive https://flic.kr/p/d5VRWj by Wandering Panda https://flic.kr/p/ii8JxD by George https://flic.kr/p/6nq6N by jerkylicker

1.12k views • 32 slides
Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter

Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter

Measuring the Adoption of Route Origin Validation and Filtering Andreas Reuter (andreas.reuter@fu-berlin.de) Joint work with Randy Bush, Ethan Katz-Bassett, Italo Cunha, Thomas C. Schmidt, and Matthias Whlisch PEERING The BGP Testbed The BGP

1.56k views • 52 slides
Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan

Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan

Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate Emily Stark , Ryan Sleevi, Rijad Muminovic, Devon OBrien, Eran Messeri, Adrienne Porter Felt, Brendan McMillion, Parisa Tabriz estark@chromium.org How

484 views • 31 slides
Internet Measurements Dr. Vaibhav Bajpai 1. Measure Adoption 2. Measure Performance 3. Measure

Internet Measurements Dr. Vaibhav Bajpai 1. Measure Adoption 2. Measure Performance 3. Measure

Internet Measurements Dr. Vaibhav Bajpai 1. Measure Adoption 2. Measure Performance 3. Measure Disruption 4. ... Seminar Webpage: https://goo.gl/M51fPJ HTTP2 adoption https://tools.ietf.org/html/rfc7540

284 views • 7 slides
Economics of cybersecurity Measuring security levels Michel van

Economics of cybersecurity Measuring security levels Michel van

Economics of cybersecurity Measuring security levels Michel van Eeten Del. University of Technology Security produc=vity What is measurable? Security level

217 views • 10 slides
Proposed Changes October 2012 Additions: Additions: Introduction to Computer Hardware,

Proposed Changes October 2012 Additions: Additions: Introduction to Computer Hardware,

Proposed Changes October 2012 Additions: Additions: Introduction to Computer Hardware, Networking, and CyberSecurity English 12 (Dual enrolled) Grade 12 Mathematics Capstone Advanced Math: NOVA Math 151/152 Environmental

77 views • 4 slides
Accelerating SE research adoption with Analysis Bots https://github.com/AnalysisBotsPlatform

Accelerating SE research adoption with Analysis Bots https://github.com/AnalysisBotsPlatform

Accelerating SE research adoption with Analysis Bots https://github.com/AnalysisBotsPlatform Ivan Beschastnikh, Mircea F. Lungu, Yanyan Zhuang U. of British U. of Groningen U. of Colorado Columbia Colorado Springs Canada Wanted: SE

467 views • 23 slides
AGRICULTURAL TECHNOLOGY ADOPTION & FOOD SECURITY IN AFRICA EVIDENCE SUMMIT JUNE 1-2, 2011

AGRICULTURAL TECHNOLOGY ADOPTION & FOOD SECURITY IN AFRICA EVIDENCE SUMMIT JUNE 1-2, 2011

AGRICULTURAL TECHNOLOGY ADOPTION & FOOD SECURITY IN AFRICA EVIDENCE SUMMIT JUNE 1-2, 2011 WASHINGTON, DC Panel Discussion on: Strategies for increasing adoption of profitable agricultural technology: Role of policies, institutions,

289 views • 13 slides
Measuring Energy Security RYAN OPSAL Energy Security What is it? Familiar trap in the social

Measuring Energy Security RYAN OPSAL Energy Security What is it? Familiar trap in the social

Measuring Energy Security RYAN OPSAL Energy Security What is it? Familiar trap in the social sciences: too strict a definition and too much is excluded to be useful whereas too broad a definition weakens explanatory power given events Even

428 views • 15 slides
Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

CSS441 Internet Security Web Security TLS/SSL Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

832 views • 32 slides
Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani Name Here About Serianu Limited Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the

759 views • 46 slides
Measuring Software Security Defining Security Metrics Dr. Bill Young Department of Computer

Measuring Software Security Defining Security Metrics Dr. Bill Young Department of Computer

Measuring Software Security Defining Security Metrics Dr. Bill Young Department of Computer Science University of Texas at Austin Last updated: May 1, 2015 at 08:15 Dr. Bill Young: 1 Metrics Talk: OAG IV&V Why Is CyberSecurity Hard? Why

854 views • 21 slides
Overview of IEEE 802.16 Security David Johnston & Jesse Walker Presented By: Anil Bazaz

Overview of IEEE 802.16 Security David Johnston & Jesse Walker Presented By: Anil Bazaz

Overview of IEEE 802.16 Security David Johnston & Jesse Walker Presented By: Anil Bazaz CS6204, Spring 2005 Intro to IEEE 802.16 Standard for Wireless Metropolitan Area Networks (WMANs) Flavors: IEEE 802.16-2001, 802.16a, 802.16c,

844 views • 14 slides
A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga,

A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga,

Enabling Grids for E-sciencE A VOMS overview Andrea Ceccanti (on behalf of the VOMS team) NRENS and Grids Workshop Malaga, 29-30/11/07 www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are registered trademarks Outline Enabling Grids

488 views • 25 slides
Applications for NDN James Kasten University of Michigan Network Authentication Public Key

Applications for NDN James Kasten University of Michigan Network Authentication Public Key

Applications for NDN James Kasten University of Michigan Network Authentication Public Key Infrastructure Pairing Keys with Identity or Authority Major Challenges Management Distribution Revocation Renewal Lets

391 views • 10 slides
Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies HTTP Public Key Pinning Certificate

1.05k views • 61 slides
What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ?

What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ?

Resource Certification What it means for LIRs Alain P. AI NA Special Project M anager What is Resource Certification ? Resource Certification is is a security framework for verifying the association between resource holders and their

569 views • 20 slides
Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis

Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Mutual Authentication and Authorization for Interconnecting Home Automation Systems Master Thesis Final talk Karthik Mathiazhagan

735 views • 18 slides
Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed

Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed

Security & Knowledge Management a.a. 2019/20 Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed just by permitted users Integrity Not tampered by not permitted users Availability

558 views • 21 slides
Benedikt Brecht, CAMP Principal Investigator, VWGoA October 2015 1 CAMP Partners Project funded

Benedikt Brecht, CAMP Principal Investigator, VWGoA October 2015 1 CAMP Partners Project funded

V2X Security Credential Management System (SCMS) Proof-of-Concept Implementation funded by US DOT/NHTSA Benedikt Brecht, CAMP Principal Investigator, VWGoA October 2015 1 CAMP Partners Project funded by Supported by October 2015 2 What is

562 views • 29 slides

More recommend