Securing the Web's PKI
The importance of the web's public key infrastructure (PKI) cannot be overstated: it provides users with the ability to verify with whom they are communicating online, and enables encryption of those communications. While the online use of the PKI is mostly automated, there is a surprising amount of human intervention in management tasks that are crucial to its proper operation. Only by understanding the humans in the loop can we hope to truly secure this critical infrastructure. In this talk, I will first present Internet-wide measurement results showing that the web’s PKI is vastly mismanaged. I’ll demonstrate that perverse economic incentives, giving away secret keys, and ignoring certificate revocations have all become common practice. I will then present the design of CRLite, a system we have developed that makes it feasible to push all certificate revocations to all clients. At the core of CRLite is a novel data structure that is in essence a Bloom filter with zero false positives and false negatives. CRLite was recently chosen to receive the IEEE Cybersecurity Award for Innovation.