Reducing Excessive Trust in the Web PKI Ecosystem

The current state of the Web PKI leads to browsers and operating systems trusting many different third-party Certification Authorities. While some controls exist to handle this, more can be done.

This research examines the possibility of developing an add-on for the open-source mitmproxy project to add drift detection for root Certification Authority (CA) certificates, incorporate policy-based controls over which CAs are allowed, and leverage an ensemble of existing technologies—some in novel ways—to reduce the level of trust placed in the public Web PKI.

The result is a proof-of-concept tool, CertGuard, that provides a higher-security browsing experience and enables security-conscious users to make more informed risk decisions when browsing the web. It can be concluded that such an approach is viable by using CertGuard to gather data on 300,000 popular domains, observing how various risk conditions encountered on these domains can be surfaced to end users, and reviewing some notable findings during development and testing.