Technical Report 1120004

Title: A Quantitative Comparison Between X.509 CA Verification and DANE Via Attack Surface Analysis
Version (s): < 1 2 3 4 5 6 >
Obsoleted by published work
Authors: Eric Osterweil
Danny McPherson
Lixia Zhang
Date: 2012-08-13
Paper: Download here
Abstract: Almost every Internet user relies on security protections to guard our online lives. In particular, when in need of secure communications over the Internet, a protocol called Transport Layer Security (TLS), is commonly used. TLS uses cryptographic certificates to bootstrap secure communications between web browsers and web servers, as well as to secure email, Internet news, and other Internet communications, and it is arguably the most widely used Internet-scale cryptographic protocol in use today. In this paper, we examine the way TLS performs its certificate verification, and compare it to the wouldbe successor, DNS-based Authentication of Named Entities (DANE). In this work, we do this by using a concept called an attack surface, and we propose a novel new methodology for actually quantifying what the attack surface is for each verification scheme, and then we measure the Alexa top 1,000 websites to empirically quantify the relative attack surfaces of actual web sites. In searching for a way to compare the protections of these two verification schemes, our candidate methodology illustrates that the attack surface can be shrunk by as much as three orders of magnitude by moving from today’s CA verification scheme to DANE.
                author = {Eric Osterweil and Danny McPherson and Lixia Zhang},
                title = {A Quantitative Comparison Between X.509 CA Verification and DANE Via Attack Surface Analysis},
                booktitle = {Verisign Labs Technical Reports},
                number = {1120004 version 1},
                year = {2012},