“Three Ugly Truths about the Web’s PKI (and How We Might Fix it)”
Location: LTS Auditorium, 8080 Greenmead Drive
The web’s public key infrastructure (PKI) is a critical system that enables users to verify the identities of the websites they visit. You may recognize it from the green lock icon in your browser’s address bar.
Although much of the PKI is automated, several surprisingly important aspects require humans in the loop: (1) website administrators must properly manage their certificates; (2) browsers manufacturers must regularly check for certificate revocations; and (3) above all, no one should share their private keys. I will present Internet-wide measurement studies we have performed that show that, in practice, all of these are violated on a regular basis.
These measurement studies are the first step. I will also discuss some of the steps we are taking toward fixing online authentication and the security of the web at large. I will describe why I believe that future protocols must take economic factors into account, and why recent advances in cryptography, measurement and trusted hardware may be the key to finally making a secure web possible.
Dave Levin is an assistant professor in the Department of Computer Science and a member of UMIACS at the University of Maryland (UMD).
In his research, he empirically measures security on the Internet to understand how security breaks down, and applies economics and cryptography to design and build new systems with provable and usable security.
Levin received the Outstanding Reviewer Award at SIGCOMM 2012, the Microsoft Live Labs Fellowship in 2008, the Best Paper Award at USENIX NSDI 2009, the Dean’s Fellowship for Excellence in Research for the Department of Computer Science at UMD in 2006, the Outstanding Undergraduate Computer Science Teaching Assistant Award at UMD in 2002, and others.
He holds a doctorate in computer science from UMD.