Characterization of clients-side revocation checks and their security-performance tradeoffs / Karaktärisering av upphävningskontroll av certifikat från klientens sida och deras för- och nackdelar mellan säkerhet och prestanda

Gärdin, Christoffer, Shnouda, George

January 2021

There are several different methods for checking whether certificates on the web have been revoked, timely discovery of revoked certificates are important to ensure security when authentication within the HTTPS protocol is used. These methods have both advantages and disadvantages as they can contribute to security but at the same time worsen performance on the web browsers. This thesis examines these methods in more detail to identify the pros and cons and whether it is possible to find a good tradeoff between security and performance. This is important as a user is exposed to major security flaws if the integrity of a domain cannot be verified. Our analysis includes to which extent OCSP and CRL are used, how much OCSP affects the browser Firefox's performance, and how many web servers implement methods to verify revoked certificates, such as OCSP staple and must-staple. We also compare web browsers own lists of revoked certificates and look for patterns and differences between them. The analysis shows that OCSP and CRL have largely been replaced by other methods of verifying revoked certificates such as OneCRL and CRLSet. It turned out that OneCRL and CRLSet only cover a small fraction of the total number of certificates available. Often, it takes several weeks for certificates to appear in these lists after being revoked. We also found that OCSP's impact on the web pages performance is minimal. We concluded that the existing methods for verifying revocation statuses are inadequately used by CAs, web browsers and web servers, which poses a major security risks for users. Many certificates are not checked at all. However, we believe that it is possible to increase the security without reducing performance if CAs, web browsers and web servers can collaborate in the development of improving and combining current methods for checking revoked certificates.

security

performance

onecrl

crlset

OCSP

crl

OCSP-staple

transparency

Computer Sciences

Datavetenskap (datalogi)

How Certificate Transparency Impact the Performance

Sjöström, Linus, Nykvist, Carl

January 2017

Security on the Internet is essential to ensure the privacy of an individual. Today, Trans- port Layer Security (TLS) and certificates are used to ensure this. But certificates are not enough in order to maintain confidentiality and therefore a new concept, Certificate Trans- parency (CT), has been introduced. CT improves security by allowing the analysis of sus- picious certificates. Validation by CT uses public logs that can return Signed Certificate Timestamp (SCT), which is a promise returned by the log indicating that the certificate will be added to the log. A server may then deliver the SCT to a client in three different ways: X.509v3 extension, Online Certificate Status Protocol (OSCP) stapling and TLS extension. For further analysis, we have created a tool to collect data during TLS handshakes and data transfer, including byte information, the certificates themselves, SCT delivery method and especially timing information. From our dataset we see that most websites do not use CT and the ones that use CT almost only use X.509 extension to send their SCTs.

SCT

Certificate Transparency

CT

Network Performance

TLS

OCSP

X.509

Computer and Information Sciences

Data- och informationsvetenskap

Developing a concept for handling IT security with secured and trusted electronic connections

Hockmann, Volker

January 2014

In this day and age, the Internet provides the biggest linkage of information, personal data and information, social contact facilities, entertainment and electronic repository for all things including software downloads and tools, online books and technical descriptions, music and movies - both legal and illegal [Clarke, 1994]. With the increasing bandwidth in the last few years worldwide, it is possible to access the so-called "Triple-Play-Solutions" - Voice over lP, High-Speed-Internet and Video on Demand. More than 100 million subscribers have signed on across Asia, Europe, and the Americas in 2007, and growth is likely to continue steadily in all three. As broadband moves into the mainstream, it is reshaping the telecommunications, cable and Internet access industrie [Beardsley, Scott and Doman, Andrew, and EdinMC Kinsey, Par, 2003]. Cisco [Cisco, 2012], one of the biggest network companies, will expect more than 966 exabytes (nearly 1 zettabyte) per year or 80.5 exabytes per month in 2015 and the "Global IP traffic has increased eightfold over the past 5 years, and will increase fourfold over the next 5 years. Overall, IP traffic will grow at a compound annual growth rate (CAGR) of 32 percent from 2010 to 2015" . More and more types of sensible data flow between different recipients. News from around the world are transferred within seconds from the one end to the other end of the world, and affect the financial market, stock exchange [Reuters, 2012] and also bring down whole governments. For instance, worldwide humoil might ensue if a hacker broke into the web-server of an international newspaper or news channel like N-TV in Germany or BBC in England and displayed messages of a political revolution in Dubai or the death of the CEO from Microsoft or IBM.

005.8