Certificates-as-an-Insurance: Incentivizing Accountability in SSL/TLS
نویسندگان
چکیده
We propose to leverage accountability mechanisms to deal with trust-related security incidents of certification authorities (CAs) in the SSL/TLS public-key infrastructure (PKI). We argue that, despite recent advances in securing certificate issuance and verification, the TLS PKI does not sufficiently incentivize careful identity verification by CAs during certificate issuance or provide CA accountability in the event of a certificate compromise. We propose a new paradigm, Certificates-as-anInsurance, to hold CAs accountable for misbehavior by using insurance policies and benefits negotiated between the CA and the domain. In this positional paper, we only sketch an instantiation of our insurance model as an extension of the existing certification model and identify challenges for future research.
منابع مشابه
SSL/TLS Session-Aware User Authentication: A Lightweight Alternative to Client-Side Certificates
Many SSL/TLS-based e-commerce applications employ traditional authentication mechanisms on the client side. These mechanisms—if decoupled from SSL/TLS session establishment—are vulnerable to man-in-the-middle attacks. In this article, we examine the feasibility of such attacks, survey countermeasures, and explain the rationale behind SSL/TLS session-aware user authentication as a lightweight an...
متن کاملOn the Detection of Fake Certificates via Attribute Correlation
Transport Layer Security (TLS) and its predecessor, SSL, are important cryptographic protocol suites on the Internet. They both implement public key certificates and rely on a group of trusted certificate authorities (i.e., CAs) for peer authentication. Unfortunately, the most recent research reveals that, if any one of the pre-trusted CAs is compromised, fake certificates can be issued to inte...
متن کاملHandshaking Mechanism in E-Business Applications
Secure Session Layer (SSL) and Transport Layer Security (TLS) are the two secure layer protocols in all of current web applications on a network. This paper focuses on SSL, TLS and how handshaking mechanism has been implemented in both SSL and TLS. Further, describes about the generation of keys and certificates.
متن کاملA Proof of Concept Implementation of SSL/TLS Session-Aware User Authentication (TLS-SA)
Most SSL/TLS-based e-commerce applications employ conventional mechanisms for user authentication. These mechanisms—if decoupled from SSL/TLS session establishment—are vulnerable to manin-the-middle (MITM) attacks. In this paper, we elaborate on the feasibility of MITM attacks, survey countermeasures, introduce the notion of SSL/TLS session-aware user authentication (TLS-SA), and present a proo...
متن کاملSMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps
Many Android apps use SSL/TLS to transmit sensitive information securely. However, developers often provide their own implementation of the standard SSL/TLS certificate validation process. Unfortunately, many such custom implementations have subtle bugs, have built-in exceptions for self-signed certificates, or blindly assert all certificates are valid, leaving many Android apps vulnerable to S...
متن کامل