This is a non-IMPACT record, meaning that access to the data is not controlled by IMPACT. For access, see the directions below.

Disclaimer:
This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.

Summary

DS-1150
Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem
External Dataset
External Data Source
InferLink Corporation
Unknown
Unknown
56 (lowest rank is 56)

Category & Restrictions

Other
application layer security, network data
Unrestricted
Unknown

Description


This paper performs a large-scale measurement study of key sharing in today's web, and references several relevant datasets.

The semantics of online authentication in the web are rather straightforward: if Alice has a certificate binding Bob's name to a public key, and if a remote entity can prove knowledge of Bob's private key, then (barring key compromise) that remote entity must be Bob. However, in reality, many websites-and the majority of the most popular ones-are hosted at least in part by third parties such as Content Delivery Networks (CDNs) or web hosting providers. Put simply: administrators of websites who deal with (extremely) sensitive user data are giving their private keys to third parties. Importantly, this sharing of keys is undetectable by most users, and widely unknown even among researchers. In this paper, we perform a large-scale measurement study of key sharing in today's web. We analyze the prevalence with which websites trust third-party hosting providers with their secret keys, as well as the impact that this trust has on responsible key management practices, such as revocation. Our results reveal that key sharing is extremely common, with a small handful of hosting providers having keys from the majority of the most popular websites. We also find that hosting providers often manage their customers' keys, and that they tend to react more slowly yet more thoroughly to compromised or potentially compromised keys. ;

Additional Details

N/A
false
false
key, sharing, measurement, private, measurement and analysis of private key sharing in the https ecosystem, 1150, https, analysis, ecosystem, corporation, source, inferlink, external data source, external, inferlink corporation, web, study, paper, scale, todays, performs, references, datasets, relevant, keys, hosting, providers, websites, parties, compromised, trust, remote, majority, bobs, entity, popular, extremely, online, responsible, undetectable, tend, public, user, compromise, common, handful, websitesand, barring, delivery, perform, authentication, practices, customers, manage, simply, management, revocation, prevalence, sensitive, onesare, impact, researchers, knowledge, administrators, hosted, semantics, react, binding, alice, importantly, reveal, slowly, users, unknown, content, bob, networks, secret, cdns, certificate, prove, other, deal, party, reality, analyze, straightforward