Mission Accomplished? HTTPS Security after DigiNotar

TitleMission Accomplished? HTTPS Security after DigiNotar
Publication TypeConference Paper
Year of Publication2017
AuthorsAmann, J., Gasser O., Scheitle Q., Brent L., Carle G., & Holz R.
Published inProceedings of the IMC 2017
Date Published11/2017

Driven by CA compromises and the risk of man-in-the-middle attacks, new security features have been added to TLS, HTTPS, and the web PKI over the past five years. These include Certificate Transparency (CT), for making the CA system auditable; HSTS and HPKP headers, to harden the HTTPS posture of a domain; the DNS-based extensions CAA and TLSA, for control over certificate issuance and pinning; and SCSV, for protocol downgrade protection. This paper presents the first large scale investigation of these improvements to the HTTPS ecosystem, explicitly accounting for their combined usage. In addition to collecting passive measurements at the Internet uplinks of large University networks on three continents, we perform the largest domain-based active Internet scan to date, covering 193M domains. Furthermore, we track the long-term deployment history of new TLS security features by leveraging passive observations dating back to 2012. We find that while deployment of new security features has picked up in general, only SCSV (49M domains) and CT (7M domains) have gained enough momentum to improve the overall security of HTTPS. Features with higher complexity, such as HPKP, are deployed scarcely and often incorrectly. Our empirical findings are placed in the context of risk, deployment effort, and benefit of these new technologies, and actionable steps for improvement are proposed. We cross-correlate use of features and find some techniques with significant correlation in deployment. We support reproducible research and publicly release data and code.


This work was partially funded by the Major Equipment and Early Career Researcher grant schemes of the Faculty of Engineering & Information Technology, The University of Sydney; by the German Federal Ministry of Education and Research under project XCheck, grant 16KIS0530, and project DecADe, grant 16KIS0538; by the National Science Foundation under grant numbers CNS- 1528156 and ACI-1348077. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of The University of Sydney, the German Federal Ministry of Education and Research or the NSF. We thank our shepherd Zhiyun Qian and the anonymous reviewers for their helpful comments. We thank Sebastian Gallenmüller and Eric Osterweil for their support.

ICSI Research Group

Networking and Security


Community Contribution Award at IMC 2017