The web’s public key infrastructure (PKI) is a critical system that enables users to verify the identities of the websites they visit.  You may recognize it from the green lock icon in your browser’s address bar.  Although much of the PKI is automated, several surprisingly important aspects require humans in the loop: (1) website administrators must properly manage their certificates; (2) browsers manufacturers must regularly check for certificate revocations; and (3) above all, no one should share their private keys.  I will present Internet-wide measurement studies we have performed that show that, in practice, all of these are violated on a regular basis.

 

These measurement studies are the first step.  Much of my talk will focus on sketching important, open problems towards fixing online authentication and the security of the web at large.  I will describe why I believe that future protocols must take economic factors into account, and why recent advances in cryptography, measurement, and trusted hardware may be the key to finally making a secure web possible.

 

Dave will be starting as an assistant professor in January and is currently looking for PhD students, so anyone interested in security, networking, or economics, please be sure to attend!