Corpus ID: 53060407

Measuring the Rapid Growth of HSTS and HPKP Deployments

  title={Measuring the Rapid Growth of HSTS and HPKP Deployments},
  author={Ivan Petrov and D Iu Peskov and Gregory Coard and Taejoong Chung and David R. Choffnes and Dave Levin and Bruce M. Maggs and Alan Mislove and Christo Wilson},
A basic man-in-the-middle attack to bypass HTTPS strips the “s” off of an “https://” URL, thereby forcing the client to effectively downgrade to an insecure connection. To address such crude attacks, the HSTS (HTTP Strict Transport Security) protocol was recently introduced, which instructs clients to preemptively (or at time of first acquire) load a list of domains to whom to connect strictly via HTTPS. In a similar vein, the HPKP (HTTP Public Key Pinning) protocol has clients obtain a set of… Expand

Figures and Tables from this paper

Talking with Familiar Strangers: An Empirical Study on HTTPS Context Confusion Attacks
This study sheds light on an influential attack surface of the HTTPS ecosystem and calls for proper mitigation against MITM attacks, which can succeed even for servers that have deployed current best practice of security policies. Expand
A Longitudinal and Comprehensive Study of the DANE Ecosystem in Email
A large-scale, longitudinal, and comprehensive measurement study on how well the Dane standard and its relevant protocols are deployed and managed is performed, revealing pervasive mismanagement in the DANE ecosystem. Expand


Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning
The first in-depth empirical study of two important new web security features: strict transport security (HSTS) and public-key pinning is conducted, finding evidence that many developers do not completely understand these features, with a substantial portion using them in invalid or illogical ways. Expand
Towards a Complete View of the Certificate Ecosystem
It is found that aggregated CT logs and Censys snapshots have many properties that complement each other, and that together they encompass over 99% of all certificates found by any of these techniques. Expand
The Matter of Heartbleed
A comprehensive, measurement-based analysis of the Heartbleed vulnerability's impact, including tracking the vulnerable population, monitoring patching behavior over time, assessing the impact on the HTTPS certificate ecosystem, and exposing real attacks that attempted to exploit the bug is performed. Expand
An End-to-End Measurement of Certificate Revocation in the Web's PKI
A close look at certificate revocations in the Web's PKI is taken, finding that a surprisingly large fraction of the certificates served have been revoked, and that obtaining certificate revocation information can often be expensive in terms of latency and bandwidth for clients. Expand
Analysis of the HTTPS certificate ecosystem
A large-scale measurement study of the HTTPS certificate ecosystem---the public-key infrastructure that underlies nearly all secure web communications---is reported, uncovering practices that may put the security of the ecosystem at risk and identifying frequent configuration problems that lead to user-facing errors and potential vulnerabilities. Expand
Analysis of SSL certificate reissues and revocations in the wake of heartbleed
The reality is far from the ideal: over 73% of vulnerable certificates were not reissued and over 87% were not revoked three weeks after Heartbleed was disclosed, and the results show a drastic decline in revocations on the weekends. Expand
Large-Scale Security Analysis of the Web: Challenges and Findings
This paper reports on the state of security for more than 22,000 websites that originate in 28 EU countries and explores the adoption of countermeasures that can be used to defend against common attacks and serve as indicators of "security consciousness". Expand
CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers
This paper presents CRLite, an efficient and easily-deployable system for proactively pushing all TLS certificate revocations to browsers, and demonstrates that complete TLS/SSL revocation checking is within reach for all clients. Expand
Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem
The prevalence with which websites trust third-party hosting providers with their secret keys, as well as the impact that this trust has on responsible key management practices, such as revocation are analyzed. Expand
Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices
The largest ever network survey of TLS and SSH servers is performed and evidence that vulnerable keys are surprisingly widespread is presented, including a boot-time entropy hole in the Linux random number generator. Expand