Measuring the Latency and Pervasiveness of TLS Certificate Revocation. Zhu, L., Amann, J., & Heidemann, J. In Passive and Active Measurements Conference, Heraklion, Crete, Greece, March, 2016. Paper abstract bibtex Today, Transport-Layer Security (TLS) is the bedrock of Internet security for the web and web-derived applications. TLS depends on the X.509 Public Key Infrastructure (PKI) to authenticate endpoint identity. An essential part of a PKI is the ability to quickly revoke certificates, for example, after a key compromise. Today the Online Certificate Status Protocol (OCSP) is the most common way to quickly distribute revocation information. However, prior and current concerns about OCSP latency and privacy raise questions about its use. We examine OCSP using passive network monitoring of live traffic at the Internet uplink of a large research university and verify the results using active scans. Our measurements show that the median latency of OCSP queries is quite good: only 20 ms today, much less than the 291 ms observed in 2012. This improvement is because content delivery networks (CDNs) serve most OCSP traffic today; our measurements show 94% of queries are served by CDNs. We also show that OCSP use is ubiquitous today: it is used by all popular web browsers, as well as important non-web applications such as MS-Windows code signing.
@InProceedings{Zhu16a,
author = "Liang Zhu and Johanna Amann and John Heidemann",
title = "Measuring the Latency and Pervasiveness of TLS Certificate Revocation",
booktitle = "Passive and Active Measurements Conference",
year = 2016,
sortdate = "2016-03-31",
projects = "ant, lacrend, retrofuture, tdns",
jsubject = "dns",
month = mar,
address = "Heraklion, Crete, Greece",
myorganization = "USC/Information Sciences Institute",
keywords = "OCSP, certificate revocation, CDN",
xdoi = "xxx",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16a.pdf",
copyrightholder = "Springer",
copyrightterms = "An author may self-archive an author-created version of his/her article on his/her own website and or in his/her institutional repository. He/she may also deposit this version on his/her funder's or funder's designated repository at the funder's request or as a result of a legal obligation, provided it is not made publicly available until 12 months after official publication. He/she may not use the publisher's PDF version, which is posted on \url{www.springerlink.com}, for the purpose of self-archiving or deposit. Furthermore, the author may only post his/her version provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: ``The final publication is available at www.springerlink.com''. " ,
blogurl = "https://ant.isi.edu/blog/?p=791",
abstract = "Today, Transport-Layer Security (TLS) is the bedrock of
Internet security for the web and web-derived applications. TLS depends
on the X.509 Public Key Infrastructure (PKI) to authenticate endpoint
identity. An essential part of a PKI is the ability to quickly revoke
certificates, for example, after a key compromise. Today the Online
Certificate Status Protocol (OCSP) is the most common way to quickly
distribute revocation information. However, prior and current concerns
about OCSP latency and privacy raise questions about its use. We examine
OCSP using passive network monitoring of live traffic at the Internet
uplink of a large research university and verify the results using active
scans. Our measurements show that the median latency of OCSP queries
is quite good: only 20 ms today, much less than the 291 ms observed in
2012. This improvement is because content delivery networks (CDNs)
serve most OCSP traffic today; our measurements show 94\% of queries
are served by CDNs. We also show that OCSP use is ubiquitous today:
it is used by all popular web browsers, as well as important non-web
applications such as MS-Windows code signing.",
}
Downloads: 0
{"_id":"HiqTEhTx5ALjGyfXo","bibbaseid":"zhu-amann-heidemann-measuringthelatencyandpervasivenessoftlscertificaterevocation-2016","author_short":["Zhu, L.","Amann, J.","Heidemann, J."],"bibdata":{"bibtype":"inproceedings","type":"inproceedings","author":[{"firstnames":["Liang"],"propositions":[],"lastnames":["Zhu"],"suffixes":[]},{"firstnames":["Johanna"],"propositions":[],"lastnames":["Amann"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]}],"title":"Measuring the Latency and Pervasiveness of TLS Certificate Revocation","booktitle":"Passive and Active Measurements Conference","year":"2016","sortdate":"2016-03-31","projects":"ant, lacrend, retrofuture, tdns","jsubject":"dns","month":"March","address":"Heraklion, Crete, Greece","myorganization":"USC/Information Sciences Institute","keywords":"OCSP, certificate revocation, CDN","xdoi":"xxx","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16a.pdf","copyrightholder":"Springer","copyrightterms":"An author may self-archive an author-created version of his/her article on his/her own website and or in his/her institutional repository. He/she may also deposit this version on his/her funder's or funder's designated repository at the funder's request or as a result of a legal obligation, provided it is not made publicly available until 12 months after official publication. He/she may not use the publisher's PDF version, which is posted on ˘rlwww.springerlink.com, for the purpose of self-archiving or deposit. Furthermore, the author may only post his/her version provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: ``The final publication is available at www.springerlink.com''. ","blogurl":"https://ant.isi.edu/blog/?p=791","abstract":"Today, Transport-Layer Security (TLS) is the bedrock of Internet security for the web and web-derived applications. TLS depends on the X.509 Public Key Infrastructure (PKI) to authenticate endpoint identity. An essential part of a PKI is the ability to quickly revoke certificates, for example, after a key compromise. Today the Online Certificate Status Protocol (OCSP) is the most common way to quickly distribute revocation information. However, prior and current concerns about OCSP latency and privacy raise questions about its use. We examine OCSP using passive network monitoring of live traffic at the Internet uplink of a large research university and verify the results using active scans. Our measurements show that the median latency of OCSP queries is quite good: only 20 ms today, much less than the 291 ms observed in 2012. This improvement is because content delivery networks (CDNs) serve most OCSP traffic today; our measurements show 94% of queries are served by CDNs. We also show that OCSP use is ubiquitous today: it is used by all popular web browsers, as well as important non-web applications such as MS-Windows code signing.","bibtex":"@InProceedings{Zhu16a,\n\tauthor = \t\"Liang Zhu and Johanna Amann and John Heidemann\",\n\ttitle = \"Measuring the Latency and Pervasiveness of TLS Certificate Revocation\",\n\tbooktitle = \t\"Passive and Active Measurements Conference\",\n\tyear = \t\t2016,\n\tsortdate = \t\"2016-03-31\",\n\tprojects = \"ant, lacrend, retrofuture, tdns\",\n\tjsubject = \"dns\",\n\tmonth = \tmar,\n\taddress = \t\"Heraklion, Crete, Greece\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tkeywords = \t\"OCSP, certificate revocation, CDN\",\n\txdoi = \"xxx\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16a.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16a.pdf\",\n\tcopyrightholder = \"Springer\",\n\tcopyrightterms = \"An author may self-archive an author-created version of his/her article on his/her own website and or in his/her institutional repository. He/she may also deposit this version on his/her funder's or funder's designated repository at the funder's request or as a result of a legal obligation, provided it is not made publicly available until 12 months after official publication. He/she may not use the publisher's PDF version, which is posted on \\url{www.springerlink.com}, for the purpose of self-archiving or deposit. Furthermore, the author may only post his/her version provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: ``The final publication is available at www.springerlink.com''. \" ,\n\tblogurl = \t\"https://ant.isi.edu/blog/?p=791\",\n\tabstract = \"Today, Transport-Layer Security (TLS) is the bedrock of\nInternet security for the web and web-derived applications. TLS depends\non the X.509 Public Key Infrastructure (PKI) to authenticate endpoint\nidentity. An essential part of a PKI is the ability to quickly revoke\ncertificates, for example, after a key compromise. Today the Online\nCertificate Status Protocol (OCSP) is the most common way to quickly\ndistribute revocation information. However, prior and current concerns\nabout OCSP latency and privacy raise questions about its use. We examine\nOCSP using passive network monitoring of live traffic at the Internet\nuplink of a large research university and verify the results using active\nscans. Our measurements show that the median latency of OCSP queries\nis quite good: only 20 ms today, much less than the 291 ms observed in\n2012. This improvement is because content delivery networks (CDNs)\nserve most OCSP traffic today; our measurements show 94\\% of queries\nare served by CDNs. We also show that OCSP use is ubiquitous today:\nit is used by all popular web browsers, as well as important non-web\napplications such as MS-Windows code signing.\",\n}\n\n","author_short":["Zhu, L.","Amann, J.","Heidemann, J."],"bibbaseid":"zhu-amann-heidemann-measuringthelatencyandpervasivenessoftlscertificaterevocation-2016","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Zhu16a.html"},"keyword":["OCSP","certificate revocation","CDN"],"metadata":{"authorlinks":{}}},"bibtype":"inproceedings","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["ocsp","certificate revocation","cdn"],"search_terms":["measuring","latency","pervasiveness","tls","certificate","revocation","zhu","amann","heidemann"],"title":"Measuring the Latency and Pervasiveness of TLS Certificate Revocation","year":2016}