TPRC 2024: The 52nd Research Conference on Communications, Information and Inter

Link to Paper

Abstract:
How do untrustworthy, non-compliant, and otherwise dangerous certificates arise in the Web? What are the causes that underlie the issuance of these certificates? To determine the ground truth, we compiled reports of public key infrastructure (PKI) incidents that have resulted from Certificate Authorities' (CAs) issuance of non-compliant certificates from 2001 to December 2021 from reliable public sources and provide an analysis using qualitative coding of the CAs description of the reported incidents. Our data sources had to be public, reliable, impartial, and trustworthy. These requirements eliminated incidents published in media without proper sources, for example Medium blog posts. The backbone of our incident collection was Mozilla’s Bugzilla where we collected 597 incident reports. Our results combine both qualitative and quantitative analyses. We document the trends in incidents including causes and types. We identify the parties that have erred, the ways in which they have failed, the patterns of behavior among and between CAs. We enumerate the common recommendations where we concur with the literature, and make some of our own. We argue that there is a need for systematic improvement in PKI now, and this need will only increase as the interaction space for warnings and indicators decreases with IoT and embedded systems. We also discuss potential avenues for future work to prevent future incidents and detect problematic certificates before issuance.