Pouyan Fotouhi Tehrani, Raphael Hiesgen, Teresa Lübeck, Thomas C. Schmidt, Matthias Wählisch,
Do CAA, CT, and DANE Interlink in Certificate Deployments? A Web PKI Measurement Study,
In: Proc. of 8th Network Traffic Measurement and Analysis Conference (TMA), Piscataway, NJ, USA: IEEE, 2024.

Abstract: Integrity and trust on the Web build on X.509 certificates. Misuse or misissuance of these certificates threaten the Web PKI security model, which led to the development of several guarding techniques. In this paper, we study the DNS/DNSSEC records CAA and TLSA as well as CT logs from the perspective of the certificates in use. Our measurements comprise 2.4 million popular domains, for which we explore the existence and consistency of the different extensions. Our findings indicate that CAA is almost exclusively deployed in the absence of DNSSEC, while DNSSEC protected service names tend to not use the DNS for guarding certificates. Even though mainly deployed in a formally correct way, CAA ca-strings tend to not selectively separate CAs, and numerous domains hold certificates beyond the CAA semantic. TLSA records are repeatedly poorly maintained and occasionally occur without DNSSEC.

Topics: Internet Measurements and Analysis | Network Management | Network Security


This page generated by bibTOhtml on Mo 15. Jul 00:05:05 CEST 2024