Position Paper: Certificate Root Stores—An Area of Unity or Disparity?

  title={Position Paper: Certificate Root Stores—An Area of Unity or Disparity?},
  author={Jegan Purushothaman and Abdelrahman Abdou},
  journal={Proceedings of the 15th Workshop on Cyber Security Experimentation and Test},
  • Jegan PurushothamanA. Abdou
  • Published 21 October 2021
  • Computer Science
  • Proceedings of the 15th Workshop on Cyber Security Experimentation and Test
Organizations like Apple, Microsoft, Mozilla and Google maintain certificate root stores, which are used as trust anchors by their popular software platforms. Is there sufficient consensus on their root-store inclusion and trust policies? We measure disparities among their root stores, accounting for various aspects such as inclusion policies, delivery methods, trust context, and the certificates themselves. Disparities appear astounding, including in the government-owned certificates that they… 

Figures from this paper



Characterizing the Root Landscape of Certificate Transparency Logs

This paper presents a first characterization of this emerging CT root store landscape, as well as the tool that was developed for data collection, visualization, and analysis of the root stores.

Rusted Anchors: A National Client-Side View of Hidden Root CAs in the Web PKI Ecosystem

The findings uncover that the ecosystem of hidden root CAs is massive and dynamic, and shed light on the landscape of Web PKI security, and call for immediate efforts from the community to review the integrity of local root stores.

Tracing your roots: exploring the TLS trust anchor ecosystem

This work presents a first look at the root store ecosystem that underlies the accelerating deployment of TLS, and highlights the concentration of root store trust in TLS server authentication, exposes questionable root management practices, and proposes improvements for future TLS root stores.

You Won't Be Needing These Any More: On Removing Unused Certificates from Trust Stores

This paper examines a root problem of the weakest-link property of the CA based system and proposes a simple stop-gap measure which can improve the security of HTTPS immediately and argues that this removal is an important first step to improve HTTPS security.

Trust me, I'm a Root CA! Analyzing SSL Root CAs in Modern Browsers and Operating Systems

This thesis explains the various entities and technical processes involved in establishing trust when using SSL communications and analyzes the number and origin of companies and governmental institutions trusted by various operating systems and browser vendors and correlates the gathered information to a variety of indexes to illustrate that some of these trusted entities are far from trustworthy.

The Boon and Bane of Cross-Signing: Shedding Light on a Common Practice in Public Key Infrastructures

New rules and guidance are proposed for cross-signing in the Web PKI to preserve its positive potential while mitigating its risks and the difficulty of revoking trusted CA certificates.

SoK: Delegation and Revocation, the Missing Links in the Web's Chain of Trust

A 19-criteria framework for characterizing revocation and delegation schemes is proposed, and it is shown that combining short-lived delegated credentials or proxy certificates with an appropriate revocation system would solve several pressing problems.

Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL

This paper introduces the compelled certificate creation attack, in which government agencies may compel a certificate authority to issue false SSL certificates that can be used by intelligence

Comparative Analysis of DoT and HTTPS Certificate Ecosystems

Preliminary results show that DoT appears to have benefited from the PKI security advancements that were mostly tailored to HTTPS, and this research compares the DoT and HTTPS certificate ecosystems.

Investigating Large Scale HTTPS Interception in Kazakhstan

It is found that the attack targeted connections to 37 unique domains, with a focus on social media and communication services, suggesting a surveillance motive, and that it affected a large fraction of connections passing through the country's largest ISP, Kazakhtelecom.