Abstract
SSL is the primary technology used to secure web communications. Before setting up an SSL connection, web browsers have to validate the SSL certificate of the web server in order to ensure that users access the expected web site. We have tested the handling of the main fields in SSL certificates and found that web browsers do not process them in a homogenous way. An SSL certificate can be accepted by some web browsers whereas a message reporting an error can be delivered to users by other web browsers for the same certificate. This diversity of behavior might cause users to believe that SSL certificates are unreliable or error prone, which might lead them to consider that SSL certificates are useless. In this paper, we highlight these different behaviors and we explain the reasons for them which can be either a violation of the standards or ambiguity in the standards themselves. We give our opinion of which it is in our analysis.
Chapter PDF
Similar content being viewed by others
Keywords
- Certification Authority
- Transport Layer Security
- Online Certificate Status Protocol
- Certificate Revocation List
- Fully Qualify Domain Name
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure: Online Certificate Status Protocol – OCSP, RFC 2560 (1999)
Cooper, NIST, Santesson, Microsoft, Farrell, Trinity College Dublin, Boeyen, Entrust, Housley, Vigil Security, Polk: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC 5280 (May 2008)
THAWTE Certification Practice Statement, http://www.thawte.com/en/guides/pdf/Thawte_CPS_2_1.pdf
Berbecaru, D., Antonio, L., Marius, M.: On the Complexity of Public-Key Certificate Validation. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, p. 183. Springer, Heidelberg (2001)
CA/Browser forum guidelines for the issuance and management of extended validation certificates, http://www.cabforum.org/EV_Certificate_Guidelines.pdf
ITU-T Recommendation X.509 | ISO/IEC 9594-8: Information Technology—Open Systems Interconnection-The Directory: Public-Key and Attribute Certificate Frameworks
Polk, W., Housley, R., Bassham, L.: Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile; RFC 3279 (April 2002)
Freier, A., Karlton, P., Kocher, P.: The SSL Protocol Version 3.0, http://wp.netscape.com/eng/ssl3/draft302.txt
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, IETF (August 2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Wazan, A.S., Laborde, R., Chadwick, D.W., Barrere, F., Benzekri, A. (2009). Which Web Browsers Process SSL Certificates in a Standardized Way?. In: Gritzalis, D., Lopez, J. (eds) Emerging Challenges for Security, Privacy and Trust. SEC 2009. IFIP Advances in Information and Communication Technology, vol 297. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01244-0_38
Download citation
DOI: https://doi.org/10.1007/978-3-642-01244-0_38
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-01243-3
Online ISBN: 978-3-642-01244-0
eBook Packages: Computer ScienceComputer Science (R0)