A Data-driven Approach to Identifying Internet Security Challenges
Abstract
Public key infrastructures (PKIs) enable secure communication between different entities over an untrusted network. Due to this ability, PKIs are now central to security on the Internet: large- scale PKIs enable the security guarantees provided by protocols like HTTPS, DNSSEC, and the RPKI. Unfortunately, despite these guarantees, there have been numerous security failures involving these protocols; ultimately, most of these failures are rooted in discordance between how these protocols are designed and how they are actually used in practice.
In this talk, I will present an overview of my recent work that applies large-scale measurement and analysis to understand how security protocols are (mis)used in practice. I will first discuss how my measurements reveal widespread private key sharing between different entities in HTTPS ecosystem, breaking many security assumptions and making certain entities attractive attack targets. I will then describe how my large-scale study of the DNSSEC revealed that over 30% of domains that try to deploy DNSSEC fail to do so correctly, why it is currently so challenging for domain owners to do so, and how we can improve it. I conclude with a discussion of my on-going funded research and future research directions.