The economics of cryptographic trust : understanding certificate authorities

Author(s)
Specter, Michael Alan
Thumbnail
DownloadFull printable version (7.341Mb)
Other Contributors
Technology and Policy Program.
Advisor
David D. Clark and Daniel J. Weitzner.
Terms of use
M.I.T. theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission. See provided URL for inquiries about permission. http://dspace.mit.edu/handle/1721.1/7582
Metadata
Show full item record
Abstract
Certificate Authorities (CAs) play a crucial role in HTTPS, the mechanism that secures all of the web's most important communication; if it has a log-in page, it must use HTTPS. However, recent history is littered with instances of CAs unabashedly undermining the trust model of the web in favor of economic gain, causing catastrophic harm to users in the process. The purpose of this thesis is to understand how well user, domain owner, and browser vendor controls function in order to evaluate methods of realigning CA incentives. Using a compendium of past incidents of CA failure as a series of natural experiments, along with a large dataset of all publicly available certificate collections, we find that it is possible to causally link a very slight increase in domain owners leaving a CA when a CA acts inappropriately. We further find that the technical architecture of the CA system leaves users without effective control over which CAs they trust, and that browsers face certain difficulty in distrusting larger CAs. The end result is a system where large CAs can unilaterally undermine the trust model of the web without clear repercussion.
Description
Thesis: S.M. in Technology and Policy, Massachusetts Institute of Technology, Institute for Data, Systems, and Society, Technology and Policy Program, 2016.
 
Thesis: S.M., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2016.
 
Cataloged from PDF version of thesis.
 
Includes bibliographical references (pages 71-75).
 
Date issued
2016
URI
http://hdl.handle.net/1721.1/104028
Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer ScienceMassachusetts Institute of Technology. Engineering Systems DivisionMassachusetts Institute of Technology. Institute for Data, Systems, and SocietyTechnology and Policy Program
Publisher
Massachusetts Institute of Technology
Keywords
Institute for Data, Systems, and Society., Electrical Engineering and Computer Science., Engineering Systems Division., Technology and Policy Program.
Collections