Cryptology ePrint Archive: Report 2013/275

The Potential of an Individualized Set of trusted CAs: Defending against CA Failures in the Web PKI (Extended Version)

Johannes Braun and Gregor Rynkowski

Abstract: The security of most Internet applications relies on underlying public key infrastructures (PKIs) and thus on an ecosystem of certification authorities (CAs). The pool of PKIs responsible for the issuance and the maintenance of SSL certificates, called the Web PKI, has grown extremely large and complex. Herein, each CA is a single point of failure, leading to an attack surface, the size of which is hardly assessable. This paper approaches the issue if and how the attack surface can be reduced in order to minimize the risk of relying on a malicious certificate. In particular, we consider the individualization of the set of trusted CAs. We present a tool called Rootopia, which allows to individually assess the respective part of the Web PKI relevant for a user. Our analysis of browser histories of 22 Internet users reveals, that the major part of the PKI is completely irrelevant to a single user. On a per user level, the attack surface can be reduced by more than 90%, which shows the potential of the individualization of the set of trusted CAs. Furthermore, all the relevant CAs reside within a small set of countries. Our findings confirm that we unnecessarily trust in a huge number of CAs, thus exposing ourselves to unnecessary risks. Subsequently, we present an overview on our approach to realize the possible security gains.

Category / Keywords: public-key cryptography, Web PKI, Internet security, CA compromise, SSL/TLS

Original Publication (with major differences): 2013 ASE/IEEE International Conference on Information Privacy, Security, Risk and Trust

Date: received 13 May 2013, last revised 31 Jan 2017

Contact author: jbraun at cdc informatik tu-darmstadt de

Available format(s): PDF | BibTeX Citation

Version: 20170131:074012 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]