Do CAA, CT, and DANE Interlink in Certificate Deployments? A Web PKI Measurement Study

• URL: http://arxiv.org/abs/2407.02287v1
• Date: Tue, 2 Jul 2024 14:20:31 GMT
• Title: Do CAA, CT, and DANE Interlink in Certificate Deployments? A Web PKI Measurement Study
• Authors: Pouyan Fotouhi Tehrani, Raphael Hiesgen, Teresa Lübeck, Thomas C. Schmidt, Matthias Wählisch,
• Abstract summary: Misuse or misissuance of certificates threaten the Web PKI security model. We study the DNS/DNSSEC records CAA and TLSA as well as CT logs from the perspective of the certificates in use.
• Score: 1.2233362977312945
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Integrity and trust on the web build on X.509 certificates. Misuse or misissuance of these certificates threaten the Web PKI security model, which led to the development of several guarding techniques. In this paper, we study the DNS/DNSSEC records CAA and TLSA as well as CT logs from the perspective of the certificates in use. Our measurements comprise 4 million popular domains, for which we explore the existence and consistency of the different extensions. Our findings indicate that CAA is almost exclusively deployed in the absence of DNSSEC, while DNSSEC protected service names tend to not use the DNS for guarding certificates. Even though mainly deployed in a formally correct way, CAA CA-strings tend to not selectively separate CAs, and numerous domains hold certificates beyond the CAA semantic. TLSA records are repeatedly poorly maintained and occasionally occur without DNSSEC.

Related papers

• Transparent Attested DNS for Confidential Computing Services [2.6667047594113096]
  ADNS is a name service that binds attested implementation of confidential services to their domain names. ADNS builds on standards such as DNSSEC, DANE, ACME and Certificate Transparency. We implement aDNS as a confidential service using a fault-tolerant network of TEEs.
  arXiv  Detail & Related papers  (2025-03-18T18:07:09Z)
• Shh, don't say that! Domain Certification in LLMs [124.61851324874627]
  Large language models (LLMs) are often deployed to perform constrained tasks, with narrow domains. We introduce domain certification; a guarantee that accurately characterizes the out-of-domain behavior of language models. We then propose a simple yet effective approach, which we call VALID that provides adversarial bounds as a certificate.
  arXiv  Detail & Related papers  (2025-02-26T17:13:19Z)
• A Call to Reconsider Certification Authority Authorization (CAA) [1.3124513975412255]
  We show how shortcomings in CAA concepts and operational aspects undermine its effectiveness in preventing certificate misissuance. Our discussion reveals pitfalls and highlights best practices when designing security protocols based on DNS.
  arXiv  Detail & Related papers  (2024-11-12T10:35:59Z)
• DNSSEC+: An Enhanced DNS Scheme Motivated by Benefits and Pitfalls of DNSSEC [1.8379423176822356]
  We present DNSSEC+, which addresses security and deployability downsides of DNSSEC. We show how DNSSEC+ fulfills nine security, privacy, and deployability properties for name resolution.
  arXiv  Detail & Related papers  (2024-08-02T01:25:14Z)
• The Harder You Try, The Harder You Fail: The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC [19.568025360483702]
  We develop a new class of DNSSEC-based algorithmic complexity attacks on DNS, we dub KeyTrap attacks. With just a single DNS packet, the KeyTrap attacks lead to a 2.0x spike in CPU count in vulnerable DNS resolvers, stalling some for as long as 16 hours. Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.
  arXiv  Detail & Related papers  (2024-06-05T10:33:04Z)
• Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet [0.9319432628663636]
  We propose a novel technique for identifying DNSSEC-validating resolvers. We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses.
  arXiv  Detail & Related papers  (2024-05-30T08:58:18Z)
• Adaptive Hierarchical Certification for Segmentation using Randomized Smoothing [87.48628403354351]
  certification for machine learning is proving that no adversarial sample can evade a model within a range under certain conditions. Common certification methods for segmentation use a flat set of fine-grained classes, leading to high abstain rates due to model uncertainty. We propose a novel, more practical setting, which certifies pixels within a multi-level hierarchy, and adaptively relaxes the certification to a coarser level for unstable components.
  arXiv  Detail & Related papers  (2024-02-13T11:59:43Z)
• PhishReplicant: A Language Model-based Approach to Detect Generated Squatting Domain Names [2.3999111269325266]
  Domain squatting is a technique used by attackers to create domain names for phishing sites. We propose a system called PhishReplicant that detects generated squatting domains (GSDs) by focusing on the linguistic similarity of domain names.
  arXiv  Detail & Related papers  (2023-10-18T07:41:41Z)
• Model Barrier: A Compact Un-Transferable Isolation Domain for Model Intellectual Property Protection [52.08301776698373]
  We propose a novel approach called Compact Un-Transferable Isolation Domain (CUTI-domain) CUTI-domain acts as a barrier to block illegal transfers from authorized to unauthorized domains. We show that CUTI-domain can be easily implemented as a plug-and-play module with different backbones.
  arXiv  Detail & Related papers  (2023-03-20T13:07:11Z)
• ANCER: Anisotropic Certification via Sample-wise Volume Maximization [134.7866967491167]
  We introduce ANCER, a framework for obtaining anisotropic certificates for a given test set sample via volume. Results demonstrate that ANCER introduces accuracy on both CIFAR-10 and ImageNet at multiple radii, while certifying substantially larger regions in terms of volume.
  arXiv  Detail & Related papers  (2021-07-09T17:42:38Z)
• Prototypical Cross-domain Self-supervised Learning for Few-shot Unsupervised Domain Adaptation [91.58443042554903]
  We propose an end-to-end Prototypical Cross-domain Self-Supervised Learning (PCS) framework for Few-shot Unsupervised Domain Adaptation (FUDA) PCS not only performs cross-domain low-level feature alignment, but it also encodes and aligns semantic structures in the shared embedding space across domains. Compared with state-of-the-art methods, PCS improves the mean classification accuracy over different domain pairs on FUDA by 10.5%, 3.5%, 9.0%, and 13.2% on Office, Office-Home, VisDA-2017, and DomainNet, respectively.
  arXiv  Detail & Related papers  (2021-03-31T02:07:42Z)
• Breaking certified defenses: Semantic adversarial examples with spoofed robustness certificates [57.52763961195292]
  We present a new attack that exploits not only the labelling function of a classifier, but also the certificate generator. The proposed method applies large perturbations that place images far from a class boundary while maintaining the imperceptibility property of adversarial examples.
  arXiv  Detail & Related papers  (2020-03-19T17:59:44Z)
• (De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
  We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size. Our method is related to the broad class of randomized smoothing robustness schemes. Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
  arXiv  Detail & Related papers  (2020-02-25T08:39:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.