The year 2011 was highly interesting for the security community: the meltdown of the Certification Authority DigiNotar, the alleged attack on connections to Google, and the subsequent removal of DigiNotar from all browsers sparked a strong interest how HTTPS and our web PKI can be reinforced.

Since then, many other incidents have become known, and new security features have been added to TLS, HTTPS, and the web PKI. These include Certificate Transparency (CT) for making the CA system auditable; HSTS and HPKP headers, to harden the HTTPS posture of a domain; the DNS-based extensions CAA and TLSA, for control over certificate issuance and pinning; and SCSV, for protocol downgrade protection.

In this talk, we will discuss the advantages and disadvantages of these technologies based on empirical evidence of their deployment. We put our findings into context and explain which ones are a great defence and which ones are hard to configure and may even carry risks to the operator. Our insights are not theoretical: they are based on a months-long data gathering campaign, where we investigated the deployment of these improvements to the HTTPS ecosystem at Internet scale, explicitly accounting for their combined usage.

Ralph Holz is Theme Leader in Communications, Security and Computing at the Sydney Nano Institute. As Lecturer in Networks and Security at the School of IT at the University of Sydney, he leads the Node for Cybersecurity in the Human-Centred Technologies cluster.
He is Contributed Staff at Data61|CSIRO, Australia's prime innovation body, and a Visiting Fellow at the University of New South Wales.

Ralph's primary research interest is empirical security. He led the research efforts that culminated in the world’s first large-scale, long-term analysis of the deployment of encryption on the Web. Most recently, he has turned his attention to analysing the security and dependability ofblockchain networks.