The Dirty Laundry of the Web PKI

Emily Stark, Google

When you type “https://example.com” in your web browser, how do you know that you’re establishing a secure connection to the real example.com? This question is foundational to the web security model, and the answer rests in the web public key infrastructure (PKI). In the web PKI, trusted certificate authorities (CAs) issue certificates that authenticate websites. Sadly, the web PKI – which is so foundational to the communication, collaboration, commerce, and cat memes that we all use the web for everyday – is shockingly antiquated, overcomplicated, and crufty. In this talk, I’ll describe some icky inner secrets of how the web PKI works, exposing the fragile security infrastructure on which the web is built. I’ll also outline some properties that we should try to achieve in a leaner next-generation server authentication model for the web.

View the full Enigma 2023 program at https://www.usenix.org/conference/eni...