The economics of cryptographic trust : understanding certificate authorities
Author(s)Specter, Michael Alan
Technology and Policy Program.
David D. Clark and Daniel J. Weitzner.
MetadataShow full item record
Certificate Authorities (CAs) play a crucial role in HTTPS, the mechanism that secures all of the web's most important communication; if it has a log-in page, it must use HTTPS. However, recent history is littered with instances of CAs unabashedly undermining the trust model of the web in favor of economic gain, causing catastrophic harm to users in the process. The purpose of this thesis is to understand how well user, domain owner, and browser vendor controls function in order to evaluate methods of realigning CA incentives. Using a compendium of past incidents of CA failure as a series of natural experiments, along with a large dataset of all publicly available certificate collections, we find that it is possible to causally link a very slight increase in domain owners leaving a CA when a CA acts inappropriately. We further find that the technical architecture of the CA system leaves users without effective control over which CAs they trust, and that browsers face certain difficulty in distrusting larger CAs. The end result is a system where large CAs can unilaterally undermine the trust model of the web without clear repercussion.
Thesis: S.M. in Technology and Policy, Massachusetts Institute of Technology, Institute for Data, Systems, and Society, Technology and Policy Program, 2016.Thesis: S.M., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2016.Cataloged from PDF version of thesis.Includes bibliographical references (pages 71-75).
DepartmentMassachusetts Institute of Technology. Department of Electrical Engineering and Computer Science; Massachusetts Institute of Technology. Engineering Systems Division; Massachusetts Institute of Technology. Institute for Data, Systems, and Society; Massachusetts Institute of Technology. Technology and Policy Program
Massachusetts Institute of Technology
Institute for Data, Systems, and Society., Electrical Engineering and Computer Science., Engineering Systems Division., Technology and Policy Program.