The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem

In this paper, we analyze the evolution of Certificate Transparency (CT) over time and explore the implications of exposing certificate DNS names from the perspective of security and privacy. We find that certificates in CT logs have seen exponential growth. Website support for CT has also constantly increased, with now 33% of established connections supporting CT. With the increasing deployment of CT, there are also concerns of information leakage due to all certificates being visible in CT logs. To understand this threat, we introduce a CT honeypot and show that data from CT logs is being used to identify targets for scanning campaigns only minutes after certificate issuance. We present and evaluate a methodology to learn and validate new subdomains from the vast number of domains extracted from CT logged certificates.Comment: To be published at ACM IMC 201

PKI Safety Net (PKISN): Addressing the Too-Big-to-Be-Revoked Problem of the TLS Ecosystem

In a public-key infrastructure (PKI), clients must have an efficient and secure way to determine whether a certificate was revoked (by an entity considered as legitimate to do so), while preserving user privacy. A few certification authorities (CAs) are currently responsible for the issuance of the large majority of TLS certificates. These certificates are considered valid only if the certificate of the issuing CA is also valid. The certificates of these important CAs are effectively too big to be revoked, as revoking them would result in massive collateral damage. To solve this problem, we redesign the current revocation system with a novel approach that we call PKI Safety Net (PKISN), which uses publicly accessible logs to store certificates (in the spirit of Certificate Transparency) and revocations. The proposed system extends existing mechanisms, which enables simple deployment. Moreover, we present a complete implementation and evaluation of our scheme.Comment: IEEE EuroS&P 201

Towards Economic Models for MOOC Pricing Strategy Design

MOOCs have brought unprecedented opportunities of making high-quality courses accessible to everybody. However, from the business point of view, MOOCs are often challenged for lacking of sustainable business models, and academic research for marketing strategies of MOOCs is also a blind spot currently. In this work, we try to formulate the business models and pricing strategies in a structured and scientific way. Based on both theoretical research and real marketing data analysis from a MOOC platform, we present the insights of the pricing strategies for existing MOOC markets. We focus on the pricing strategies for verified certificates in the B2C markets, and also give ideas of modeling the course sub-licensing services in B2B markets