Publication Details
Title: Revisiting SSL: A Large Scale Study of the Internet's Most Trusted Protocol
Author: B. Amann, M. Vallentin, S. Hall, and R. Sommer
Group: ICSI Technical Reports
Date: December 2012
PDF: http://www.icsi.berkeley.edu/pubs/techreports/ICSI_TR-12-015.pdf
Overview:
Much of the Internet's end-to-end security relies on the SSL protocol along with its underlying certificate infrastructure. We offer an in-depth study of real-world SSL and X.509 deployment characteristics from an unprecedented vantage point, based on a data set of more than 1.4 billion SSL sessions collected at the border of five operational sites. Our contributions are two-fold: First, we revisit results from past work with a recent data set that allows us to reassess previous findings and identify recent trends. Second, we provide a detailed study on a range of further SSL/X.509 deployment properties that have not yet seen the attention they deserve, including the intricate web of intermediate certificate authority (CA) relationships, characteristics of SSL session reuse, usage of vendor-specific protocol extensions, and non-standard CA root hierarchies. While in general we find that today's SSL deployment functions well, we also identify new support for the inherent weaknesses of the system. Along the way, we gain deep insight into specifics and oddities of SSL/X.509 usage, including a surprising difficulty of aligning certificate validation with what typical browsers do.
Acknowledgements:
This work was partially funded by the Deutscher Akademischer Austausch Dienst (DAAD) through a postdoctoral fellowship.
Bibliographic Information:
ICSI Technical Report TR-12-015
Bibliographic Reference:
B. Amann, M. Vallentin, S. Hall, and R. Sommer. Revisiting SSL: A Large Scale Study of the Internet's Most Trusted Protocol. ICSI Technical Report TR-12-015, December 2012
Author: B. Amann, M. Vallentin, S. Hall, and R. Sommer
Group: ICSI Technical Reports
Date: December 2012
PDF: http://www.icsi.berkeley.edu/pubs/techreports/ICSI_TR-12-015.pdf
Overview:
Much of the Internet's end-to-end security relies on the SSL protocol along with its underlying certificate infrastructure. We offer an in-depth study of real-world SSL and X.509 deployment characteristics from an unprecedented vantage point, based on a data set of more than 1.4 billion SSL sessions collected at the border of five operational sites. Our contributions are two-fold: First, we revisit results from past work with a recent data set that allows us to reassess previous findings and identify recent trends. Second, we provide a detailed study on a range of further SSL/X.509 deployment properties that have not yet seen the attention they deserve, including the intricate web of intermediate certificate authority (CA) relationships, characteristics of SSL session reuse, usage of vendor-specific protocol extensions, and non-standard CA root hierarchies. While in general we find that today's SSL deployment functions well, we also identify new support for the inherent weaknesses of the system. Along the way, we gain deep insight into specifics and oddities of SSL/X.509 usage, including a surprising difficulty of aligning certificate validation with what typical browsers do.
Acknowledgements:
This work was partially funded by the Deutscher Akademischer Austausch Dienst (DAAD) through a postdoctoral fellowship.
Bibliographic Information:
ICSI Technical Report TR-12-015
Bibliographic Reference:
B. Amann, M. Vallentin, S. Hall, and R. Sommer. Revisiting SSL: A Large Scale Study of the Internet's Most Trusted Protocol. ICSI Technical Report TR-12-015, December 2012