A holistic analysis of web-based public key infrastructure failures: comparing experts' perceptions and real-world incidents

Abstract

Abstract Public key infrastructure (PKI) is the foundation of secure and trusted transactions across the Internet. This paper presents an evaluation of web-based PKI incidents in two parts. We began with a qualitative study where we captured security and policy experts' perceptions of PKI in a set of interviews. We interviewed 18 experts in two conferences who include security academics and practitioners. We describe their perceptions of PKI failures. To evaluate whether perceived failures match real documented failures, we conducted a quantitative analysis of real-world PKI incidents on the web since 2001. Our data comprise reports from Bugzilla, root program operators, academic literature, security blogs, and the popular press. We determined the underlying causes of each and reported the results. We identified a gap between experts' perceptions and real-world PKI incidents. We conclude that there are significant sources of failures of PKI that neither the usability nor traditional computer security community is engaging, nor can arguably engage separately. Specifically, we found incidents illustrate systematic weaknesses of organizational practices that create risks for all who rely upon PKI. More positively, our results also point to organizational and configuration choices that could avoid or mitigate some of these risks. Thus, we also identify immediate mitigation strategies (where feasible).