An Internet-Wide View on HTTPS Certificate Revocations: Observing the Revival of CRLs via Active TLS Scans

Markus Sosnowski, Johannes Zirngibl, Patrick Sattler, Juliane Aulbach, Jonas Lang, Georg Carle

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

A global decentral Public Key Infrastructure (PKI) is a key element of trusted and secure communication over the Internet. Such a PKI enables trust inference through digital signatures. However, the irrevocable nature of signatures and the complexities involved in distributing revocation information pose significant challenges. Recent updates to the root store policies of Mozilla and Apple now mandate that each Certificate Authority (CA) must publish Certificate Revocation Lists (CRLs) on the Common CA Database (CCADB) as of October 2022. This policy shift enables new approaches for acquiring a comprehensive view of certificate revocations within the Transport Layer Security (TLS) ecosystem. This work investigates the impact of the new CRLs on certificate revocation research, whether they are sufficient to gain a comprehensive view, and how the current revocation methods compare. We conducted weekly Internet-wide TLS measurements to collect X.509 certificates over port 443 for two years starting in March 2022. These scans resulted in 1.1 billion valid leaf certificates, including 4.5 million revoked certificates we identified using the Online Certificate Status Protocol (OCSP), CRLs, CCADB CRLs, and OCSP stapling. Our findings show that acquiring a comprehensive view of certificate revocations is challenging, primarily via the OCSP. Compared to the other methods, our analyses indicate that the CCADB CRLs provided the most complete view of global certificate revocations. They covered nearly the entirety of valid leaf certificates, found 44% more revocations than alternative methods, and less than 0.3% of the revocations were exclusively visible via the OCSP or conventional CRLs.

Original languageEnglish
Title of host publicationProceedings - 9th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2024
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages297-306
Number of pages10
ISBN (Electronic)9798350367294
DOIs
StatePublished - 2024
Event9th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2024 - Vienna, Austria
Duration: 8 Jul 202412 Jul 2024

Publication series

NameProceedings - 9th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2024

Conference

Conference9th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2024
Country/TerritoryAustria
CityVienna
Period8/07/2412/07/24

Keywords

  • Certificate Revocation Lists (CRLs)
  • Common CA Database (CCADB)
  • Internet-wide TLS Measurements
  • Online Certificate Status Protocol (OCSP)
  • X.509 Certificates
  • X.509 Public Key Infrastructure

Fingerprint

Dive into the research topics of 'An Internet-Wide View on HTTPS Certificate Revocations: Observing the Revival of CRLs via Active TLS Scans'. Together they form a unique fingerprint.

Cite this