no domain left behind
play

No domain left behind: is Lets Encrypt democratizing encryption? - PowerPoint PPT Presentation

Jan 30, 2023 •210 likes •423 views

No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej Korczy nski 2 , Giovane C. M. Moura 3 , Samaneh Tajalizadehkhoob 2 , Jan van den Berg 2 1 National Cyber Security Centre The Netherlands 2 Delft

  1. No domain left behind: is Let’s Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej Korczy´ nski 2 , Giovane C. M. Moura 3 , Samaneh Tajalizadehkhoob 2 , Jan van den Berg 2 1 National Cyber Security Centre The Netherlands 2 Delft University of Technology The Netherlands 3 SIDN Labs The Netherlands IETF98 - IRTF - MAPRG Chicago, IL, April 28th, 2017 1/18

  2. Disclaimer ◮ None of the authors is in any way affiliated with Let’s Encrypt ◮ In other words: we do not speak for them ◮ But if you like their work, you may consider supporting them 2/18

  3. The Encryption Rush Ed Snowden NSA’s revelations ◮ Massive, widespread surveillance ◮ Worst nightmares came true 3/18

  4. The Encryption Rush Consequences: Ed Snowden NSA’s revelations ◮ For many, it was a wake-up call (and panic) ◮ Market distrust in vendors ◮ Provided a great momentum for better security Reactions: ◮ Massive, widespread ◮ IETF: RFC 7258, RFC 7624 surveillance ◮ iOS/Android: mobile phone ◮ Worst nightmares encryption by default came true ◮ Cloud providers enabling encryption everywhere ◮ ... 3/18

  5. More than half of web traffic is encrypted nowadays Yet that leaves out a lot of people without HTTPS Firefox telemetry 1 Chrome telemetry 2 1 https://telemetry.mozilla.org/ , based on Let’s Encrypt stats page 2 https://www.google.com/transparencyreport/https/metrics/ 4/18

  6. Certificates are required for encryption on the web Barriers to ubiquitous web encryption (X.509 cert): ◮ Cost : purchase, deployment and renewal ◮ Complexity : request, deployment (at scale) Let’s Encrypt 3 aims to make encrypted traffic ubiquitous ◮ Issue and re-issue costs: $0.00 ◮ Complexity mitigated by automation 1. ACME protocol 4 2. and clients, e.g. Certbot 5 3 https://letsencrypt.org 4draft-ietf-acme-acme-latest → https://ietf-wg-acme.github.io/acme/ 5 https://certbot.eff.org/ 5/18

  7. No domain left behind Is Let’s Encrypt democratizing encryption? Research question “In its first year of certificate issuance, has Let’s Encrypt been successful in democratizing encryption?” Approach: measurements ◮ Analyze issuance in the first year of Let’s Encrypt ◮ Show adoption trend from various perspectives ◮ Analyze coverage for the lower-cost end of the market 6/18

  8. Methodology ◮ Period covered: Sept. 2015-2016 (1st year) ◮ Results based on FQDNs reduced to 2LD/3LD form ◮ a.b.c.d.com → d.com Datasets Certificate transparency 6 Certificates → Farsight DNSDB 7 Domain to IP mapping → Methodology from previous work 8 , using Organization mapping → whois data & Maxmind GEOIP2 Registration info → .nl registry (SIDN) 6 https://www.certificate-transparency.org/known-logs 7 https://www.dnsdb.info/ 8S. Tajalizadehkhoob et al., “Apples, oranges and hosting providers: heterogeneity and 7/18 security in the hosting market,” IEEE NOMS 2016

  9. Let’s Encrypt Adoption Rate ◮ Steady growth 10% 14M FQDNs (absolute) unique certi fi ed domains domains (absolute) 12M domains (relative) % of DNSDB 10M 1% 8M 6M 0.1% 4M 2M 0 0.01% Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 8/18

  10. Who’s using Let’s Encrypt ? ◮ 98% of certificates are issued outside Alexa 1M . . . % of total usage of Let's Encrypt 100% Alexa 1M Alexa 100k 10% Alexa 10k Alexa 1k 1% 0.1% 0.01% 0.001% Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 9/18

  11. Who’s using Let’s Encrypt ? ◮ . . . yet issuance is not restricted to lower end of the market ◮ meaning: big players also use in their subdomains % of domains using Let's Encrypt 20% Alexa 1M Alexa 100k Alexa 10k 15% Alexa 1k DNSDB 10% 5% 0% Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 10/18

  12. Growth is attributed to adoption by major players 3 hosting providers are responsible for 47% of the Let’s Encrypt certified domains November 2015 known domains 0 127M 14K Let's Encrypt domains 0 60K organisations 11/18

  13. Growth is attributed to adoption by major players 3 hosting providers are responsible for 47% of the Let’s Encrypt certified domains September 2016 November 2015 known domains known domains 0 127M 0 205M 14K 4.4M Let's Encrypt domains Let's Encrypt domains 0 60K 0 66K organisations organisations 11/18

  14. Growth is attributed to adoption by major players 3 hosting providers are responsible for 47% of the Let’s Encrypt certified domains September 2016 November 2015 known domains 0 127M 14K Let's Encrypt domains 0 60K organisations Automation works!! 11/18

  15. Issuance is dominantly for web hosting So far, no surprises 100% unknown cdn % of Let's Encrypt domains isp 80% hosting other parking 60% edu ddos-protection gov 40% 20% 0% S O N D J F M A M J J A S a u u e e p u e c o e n a a n l p t b r g p v c r y ' ' ' 1 ' 1 ' ' 1 ' 1 ' ' 1 ' 1 ' ' 1 1 1 1 ' 6 1 1 6 1 6 5 6 6 5 5 5 6 6 6 6 12/18

  16. Over 90% of domains in hosting are on shared hosting Issuance is dominantly for the lower-cost end of the market ◮ Shared hosting = 10 domains/IP 9 ◮ Let’s Encrypt reaches those with less incentive to encrypt % of LE domains in hosting 100% shared hosting non-shared hosting 80% 60% 40% 20% 0% S O N D J F M A M J J A S a u u e e e c o e a p a u n n l p b p t v c r r y g ' ' ' 1 ' ' ' ' 1 ' ' 1 ' 1 1 ' ' 1 1 1 1 ' 6 1 1 1 1 6 6 5 5 6 6 6 6 5 5 6 6 9S. Tajalizadehkhoob et al., “Apples, oranges and hosting providers: heterogeneity and 13/18 security in the hosting market,” IEEE NOMS 2016

  17. Let’s Encrypt certificates are valid for 90 days The majority of certificates are correctly renewed after their first expiration 1 Fraction of FQDN coverage continuous gap ≤ 1 week 0.8 0.6 0.4 0.2 0 90 180 270 360 days since initial issuance of certi fi cate 14/18

  18. Let’s Encrypt : domain age use ◮ Case study: .nl ◮ Determine the age of the domain when the cert was issued 18 domain age 25 16 certi fi cate # Monthly New Certs (K) Domain Age (Years) 14 20 12 10 15 8 10 6 4 5 2 0 0 Sep '15 Nov '15 Jan '16 Mar '16 May '16 Jul '16 Sep '16 Median, Q25, Q75 and number of monthly new certificates for .nl domains 15/18

  19. Let’s Encrypt : deployment ◮ https scans + cert processing (lower bound) ◮ 25K randomly chosen Let’s Encrypt FQDN 20k 15803 15k FQDN 10k 5k 2846 2465 2143 1422 141 180 0 noDNS http406error noTLS sniError tlsOK-notLE tlsOK-LE-Expired tlsOK-LE-OK 16/18

  20. Conclusions We show that ◮ Let’s Encrypt has been a success ◮ Reduces costs & complexity ◮ Democratize encryption by covering low cost end of the market (shared hosting) ◮ but big players also use it ◮ Automation works: Let’s Encrypt ’s allows for bulk issuing ◮ 3 hosting providers are responsible for 47% of the Let’s Encrypt certified domains ◮ The majority of certificates are correctly renewed after their first expiration (90 days) And find that Let’s Encrypt has indeed started to democratize encryption. 17/18

  21. Future work Future work Contact details ◮ extend measurement period Giovane C. M. Moura ◮ issued versus deployed giovane.moura@sidn.nl ◮ active scans on shared hosting require prior knowledge of domains served (SNI) ◮ use by malicious actors Download our paper at: https://arxiv.org/abs/1612.03005 18/18

Recommend

No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2

No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2

. . . . . . . . . . . . . . No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2 , G. Moura 3 1 National Cyber Security Centre The Netherlands 2 Delft University of Technology The

292 views • 18 slides
AW Left Cervical Radiculopathy Presentation World class swimmer with left scapular pain

AW Left Cervical Radiculopathy Presentation World class swimmer with left scapular pain

AW Left Cervical Radiculopathy Presentation World class swimmer with left scapular pain radiating into long finger. 3/5 left Triceps and 4/5 left grip. Unable to train due to pain and weakness. Initial X-rays 5-6 6-7 Options? 5-6

499 views • 26 slides
3D for the public viewers Binocular (perceivable with 2 eyes) Left Right Left eye How to

3D for the public viewers Binocular (perceivable with 2 eyes) Left Right Left eye How to

3D for the public viewers Binocular (perceivable with 2 eyes) Left Right Left eye How to direct Optical the left and right images to Splitter Right eye the correct eye? Anaglyph Blue filter Red filter Transmission 475nm 650nm

738 views • 34 slides
Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients

Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients

Semigroups of Left I-quotients Semigroups of Left I-quotients Nassraddin Ghroda May 11, 2010 Semigroups of Left I-quotients Outline Background 1 Inverse hull of left I-quotients of left ample semigroups 2 Extension of homomorphisms 3

794 views • 44 slides
Todays Topics Project 1 questions Less than a week left, should be in Phase III But

Todays Topics Project 1 questions Less than a week left, should be in Phase III But

Todays Topics Project 1 questions Less than a week left, should be in Phase III But its really about logging the hours Test, test, test Runtime systems introduction Goal Bridging concepts Domain analysis

408 views • 11 slides
#prep X Assembly 02: Left Fan In this guide, we attach Left filament fan to the X carriage.

#prep X Assembly 02: Left Fan In this guide, we attach Left filament fan to the X carriage.

#prep X Assembly 02: Left Fan In this guide, we attach Left filament fan to the X carriage. _________________________________________________________________ Left Filament Fan You'll need: Green left filament fan shroud Pink left filament fan

428 views • 6 slides
Eliminating left recursion (informally) Direct left rec. For each A -> A 1 | ... | A

Eliminating left recursion (informally) Direct left rec. For each A -> A 1 | ... | A

Eliminating left recursion (informally) Direct left rec. For each A -> A 1 | ... | A n | 1 | ... | n Rewrite: A -> 1A' | ... | n A' Introduce: A' -> 1A' | ... | nA' | Indirect left rec. A

555 views • 12 slides
No Child Left Behind No Child Left Behind Our Children Are Our Future: No Child Left Behind A

No Child Left Behind No Child Left Behind Our Children Are Our Future: No Child Left Behind A

No Child Left Behind No Child Left Behind Our Children Are Our Future: No Child Left Behind A New Era in Education A New Era in Education When it comes to the education of our childrenfailure is not an option. President George W.

671 views • 39 slides
Domain-independent planning and Domain-dependent planning Le Meilleur est lennemi

Domain-independent planning and Domain-dependent planning Le Meilleur est lennemi

Domain-independent planning and Domain-dependent planning Le Meilleur est lennemi du bien. The Best is the enemy of the good. Voltaire Thanks to Dana Nau. Domain dependent planners? For many applications, domain dependent

242 views • 6 slides
Focusing the Core Domain Model A Domain-Driven Design Case Study, Eric Evans, Domain Language

Focusing the Core Domain Model A Domain-Driven Design Case Study, Eric Evans, Domain Language

Focusing the Core Domain Model A Domain-Driven Design Case Study, Eric Evans, Domain Language @ericevans0 #dddesign #yow13 Thirsty Fern FLLC A Mostly True Story About Strategic Design and Focusing the Core Domain with Established

720 views • 33 slides
Image Processing A case study for a domain decomposed MPI code Domain Decomposition 1

Image Processing A case study for a domain decomposed MPI code Domain Decomposition 1

Image Processing A case study for a domain decomposed MPI code Domain Decomposition 1 Starting with a big array: 2 Domain Decomposition 2 Split it into pieces: 3 Domain Decomposition 3 Assign pieces to processors: 4 Domain

123 views • 10 slides
Laparotomy vs Interventional radiology Left humerus # Severe liver lacerations left lobe

Laparotomy vs Interventional radiology Left humerus # Severe liver lacerations left lobe

Extravasation right SMA Communited nasal bone # branches Laparotomy vs Interventional radiology Left humerus # Severe liver lacerations left lobe Parenchymal Haemorrhages in RUL & LUL Right L2 - L5 TP # Conservative vs operative treatment

334 views • 10 slides
ET-805 ATS Domain Module - II Ramkumar.Rajendran@iitb.ac.in From Last Class Blackbox Domain

ET-805 ATS Domain Module - II Ramkumar.Rajendran@iitb.ac.in From Last Class Blackbox Domain

ET-805 ATS Domain Module - II Ramkumar.Rajendran@iitb.ac.in From Last Class Blackbox Domain Model Glassbox Domain Model Muddy Points - Structure of MYCIN - Differences in interaction of SOPHIE and GUIDON 2 Activity - Each one

550 views • 33 slides
Information Visualization domain situation details of an application domain Characterize

Information Visualization domain situation details of an application domain Characterize

Nested model: Four levels of visualization design Domain characterization Design Process Information Visualization domain situation details of an application domain Characterize Domain Situation who are the target users?

268 views • 3 slides
The relative expansion of the left atrium over the left ventricle to detect early-stage heart

The relative expansion of the left atrium over the left ventricle to detect early-stage heart

The relative expansion of the left atrium over the left ventricle to detect early-stage heart failure with preserved ejection fraction Fatima Benchadli, Vuthy Sy, Floriane Gilles, Lise Legrand, Yann Allali, Claude Le Feuvre, Gilles Montalescot,

288 views • 3 slides
The .ae Domain Administration (.aeDA) .ae Domain Administration (.aeDA) The .aeDA was

The .ae Domain Administration (.aeDA) .ae Domain Administration (.aeDA) The .aeDA was

The .ae Domain Administration (.aeDA) .ae Domain Administration (.aeDA) The .aeDA was established in 2007 by TRA as a department. It is the Regulatory Body and Registry Operator for the .ae country code namespace and dotEmarat the Arabic

262 views • 9 slides
Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and

Kicking Down the Cross Domain Door Techniques for Cross Domain Exploitation Billy K Rios (BK) and Raghav Dube Tabbed Browsing Rich Content Mash-ups Cookies JSON Ajax Implication of Cross Domain Attacks Implication of Cross Domain Attacks

580 views • 31 slides
1 last time arrays versus pointers left shift arithmetic and logical left/right shift

1 last time arrays versus pointers left shift arithmetic and logical left/right shift

1 last time arrays versus pointers left shift arithmetic and logical left/right shift versus multiply/divide by power of two bitwise and/or/xor 2 topics today some other C details interlude: using the command line then, doing

1.38k views • 118 slides
What is domain adaptation?

What is domain adaptation?

A Two-Stage Approach to Domain Adaptation for Statistical Classifiers Jing Jiang & ChengXiang Zhai Department of Computer Science University of Illinois at Urbana-Champaign What is domain adaptation?

523 views • 20 slides
The Domain Name Service, Etc. The Domain Name Service, Etc. Jeff Chase Duke University,

The Domain Name Service, Etc. The Domain Name Service, Etc. Jeff Chase Duke University,

The Domain Name Service, Etc. The Domain Name Service, Etc. Jeff Chase Duke University, Department of Computer Science CPS 212: Distributed Information Systems Today Today 1. Domain Name Service (DNS) illustrates: issues and structure

396 views • 22 slides
Murhaf Hossari University College Dublin Murhaf.hossari@gmail.com Right-to-Left Languages

Murhaf Hossari University College Dublin Murhaf.hossari@gmail.com Right-to-Left Languages

Murhaf Hossari University College Dublin Murhaf.hossari@gmail.com Right-to-Left Languages Localizing to right-to-left languages Right-to-left layout Text justification Directionality support Unicode Bidirectional Algorithm Issues and areas

521 views • 28 slides
Right hemisphere Motor functions on left side of body Perceives left side of space Left

Right hemisphere Motor functions on left side of body Perceives left side of space Left

Week 6 Lab: Hemispheric Functions - Contralateral processing Back to Index Right hemisphere Motor functions on left side of body Perceives left side of space Left hemisphere Motor functions on right side of body Perceives right side of space

276 views • 13 slides
Domain Name Industry Overview DNSSEC in .com, .net and .edu Mike Davies Domain Name Industry

Domain Name Industry Overview DNSSEC in .com, .net and .edu Mike Davies Domain Name Industry

Domain Name Industry Overview DNSSEC in .com, .net and .edu Mike Davies Domain Name Industry Overview Mike Davies There are 1.3 billion worldwide I nternet users Businesses and individuals have registered 184 million domain names around the

481 views • 18 slides
CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988 Impact of Configuration Errors on DNS Robustness V. Pappas, Z. Xu, S. Lu, D. Massey, A. Terzis, and L. Zhang, 2004 Spring 2013 The Story So Far .

481 views • 29 slides

More recommend