Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs

Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs

Certificates are the foundation of secure communication over the internet as of today. While certificates can be issued with long validity periods, there is always a risk of having them compromised during their lifetime. A good practice is therefore to use shorter validity periods. However, this lim...

Full description

Bibliographic Details
Main Authors: Bruhner, Carl Magnus, Linnarsson, Oscar
Format: Others
Language:English
Published: Linköpings universitet, Institutionen för datavetenskap 2020
Subjects:
certificate authorities
certificate lifetime
certificate overlap
certificate replacement
certificate validity
certificates
HTTPS
network security
PKI
Project Sonar
SSL
TLS
X.509
Computer Sciences
Datavetenskap (datalogi)
Online Access:http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-167063
id ndltd-UPSALLA1-oai-DiVA.org-liu-167063
record_format oai_dc
spelling ndltd-UPSALLA1-oai-DiVA.org-liu-1670632021-04-27T05:29:27ZRelay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate LogsengStafettlöpning med X.509-dagsländor : En Analys av Certifikatutbyten och Giltighetsperioder i HTTPS-certifikatloggarBruhner, Carl MagnusLinnarsson, OscarLinköpings universitet, Institutionen för datavetenskapLinköpings universitet, Institutionen för datavetenskap2020certificate authoritiescertificate lifetimecertificate overlapcertificate replacementcertificate validitycertificatesHTTPSnetwork securityPKIProject SonarSSLTLSX.509Computer SciencesDatavetenskap (datalogi)Certificates are the foundation of secure communication over the internet as of today. While certificates can be issued with long validity periods, there is always a risk of having them compromised during their lifetime. A good practice is therefore to use shorter validity periods. However, this limits the certificate lifetime and gives less flexibility in the timing of certificate replacements. In this thesis, we use publicly available network logs from Rapid7's Project Sonar to provide an overview of the current state of certificate usage behavior. Specifically, we look at the Let's Encrypt mass revocation event in March 2020, where millions of certificates were revoked with just five days notice. In general, we show how this kind of datasets can be used, and as a deeper exploration we analyze certificate validity, lifetime and use of certificates with overlapping validity periods, as well as discuss how our findings relate to industry standard and current security trends. Specifically, we isolate automated certificate services such as Let's Encrypt and cPanel to see how their certificates differ in characteristics from other certificates in general. Based on our findings, we propose a set of rules to help improve the trust in certificate usage and strengthen security online, introducing an Always secure policy aligning certificate validity with revocation time limits in order to replace revocation requirements and overcoming the fact that mobile devices today ignore this very important security feature. To round things off, we provide some ideas for further research based on our findings and what we see possible with datasets such as the one researched in this thesis. Student thesisinfo:eu-repo/semantics/bachelorThesistexthttp://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-167063application/pdfinfo:eu-repo/semantics/openAccess
collection NDLTD
language English
format Others
sources NDLTD
topic certificate authorities
certificate lifetime
certificate overlap
certificate replacement
certificate validity
certificates
HTTPS
network security
PKI
Project Sonar
SSL
TLS
X.509
Computer Sciences
Datavetenskap (datalogi)
spellingShingle certificate authorities
certificate lifetime
certificate overlap
certificate replacement
certificate validity
certificates
HTTPS
network security
PKI
Project Sonar
SSL
TLS
X.509
Computer Sciences
Datavetenskap (datalogi)
Bruhner, Carl Magnus
Linnarsson, Oscar
Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs
description Certificates are the foundation of secure communication over the internet as of today. While certificates can be issued with long validity periods, there is always a risk of having them compromised during their lifetime. A good practice is therefore to use shorter validity periods. However, this limits the certificate lifetime and gives less flexibility in the timing of certificate replacements. In this thesis, we use publicly available network logs from Rapid7's Project Sonar to provide an overview of the current state of certificate usage behavior. Specifically, we look at the Let's Encrypt mass revocation event in March 2020, where millions of certificates were revoked with just five days notice. In general, we show how this kind of datasets can be used, and as a deeper exploration we analyze certificate validity, lifetime and use of certificates with overlapping validity periods, as well as discuss how our findings relate to industry standard and current security trends. Specifically, we isolate automated certificate services such as Let's Encrypt and cPanel to see how their certificates differ in characteristics from other certificates in general. Based on our findings, we propose a set of rules to help improve the trust in certificate usage and strengthen security online, introducing an Always secure policy aligning certificate validity with revocation time limits in order to replace revocation requirements and overcoming the fact that mobile devices today ignore this very important security feature. To round things off, we provide some ideas for further research based on our findings and what we see possible with datasets such as the one researched in this thesis.
author Bruhner, Carl Magnus
Linnarsson, Oscar
author_facet Bruhner, Carl Magnus
Linnarsson, Oscar
author_sort Bruhner, Carl Magnus
title Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs
title_short Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs
title_full Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs
title_fullStr Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs
title_full_unstemmed Relay Racing with X.509 Mayflies : An Analysis of Certificate Replacements and Validity Periods in HTTPS Certificate Logs
title_sort relay racing with x.509 mayflies : an analysis of certificate replacements and validity periods in https certificate logs
publisher Linköpings universitet, Institutionen för datavetenskap
publishDate 2020
url http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-167063
work_keys_str_mv AT bruhnercarlmagnus relayracingwithx509mayfliesananalysisofcertificatereplacementsandvalidityperiodsinhttpscertificatelogs
AT linnarssonoscar relayracingwithx509mayfliesananalysisofcertificatereplacementsandvalidityperiodsinhttpscertificatelogs
AT bruhnercarlmagnus stafettlopningmedx509dagslandorenanalysavcertifikatutbytenochgiltighetsperioderihttpscertifikatloggar
AT linnarssonoscar stafettlopningmedx509dagslandorenanalysavcertifikatutbytenochgiltighetsperioderihttpscertifikatloggar
_version_ 1719399246737702912

Similar Items