TY - GEN
T1 - An Internet-Wide View on HTTPS Certificate Revocations
T2 - 9th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2024
AU - Sosnowski, Markus
AU - Zirngibl, Johannes
AU - Sattler, Patrick
AU - Aulbach, Juliane
AU - Lang, Jonas
AU - Carle, Georg
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024
Y1 - 2024
N2 - A global decentral Public Key Infrastructure (PKI) is a key element of trusted and secure communication over the Internet. Such a PKI enables trust inference through digital signatures. However, the irrevocable nature of signatures and the complexities involved in distributing revocation information pose significant challenges. Recent updates to the root store policies of Mozilla and Apple now mandate that each Certificate Authority (CA) must publish Certificate Revocation Lists (CRLs) on the Common CA Database (CCADB) as of October 2022. This policy shift enables new approaches for acquiring a comprehensive view of certificate revocations within the Transport Layer Security (TLS) ecosystem. This work investigates the impact of the new CRLs on certificate revocation research, whether they are sufficient to gain a comprehensive view, and how the current revocation methods compare. We conducted weekly Internet-wide TLS measurements to collect X.509 certificates over port 443 for two years starting in March 2022. These scans resulted in 1.1 billion valid leaf certificates, including 4.5 million revoked certificates we identified using the Online Certificate Status Protocol (OCSP), CRLs, CCADB CRLs, and OCSP stapling. Our findings show that acquiring a comprehensive view of certificate revocations is challenging, primarily via the OCSP. Compared to the other methods, our analyses indicate that the CCADB CRLs provided the most complete view of global certificate revocations. They covered nearly the entirety of valid leaf certificates, found 44% more revocations than alternative methods, and less than 0.3% of the revocations were exclusively visible via the OCSP or conventional CRLs.
AB - A global decentral Public Key Infrastructure (PKI) is a key element of trusted and secure communication over the Internet. Such a PKI enables trust inference through digital signatures. However, the irrevocable nature of signatures and the complexities involved in distributing revocation information pose significant challenges. Recent updates to the root store policies of Mozilla and Apple now mandate that each Certificate Authority (CA) must publish Certificate Revocation Lists (CRLs) on the Common CA Database (CCADB) as of October 2022. This policy shift enables new approaches for acquiring a comprehensive view of certificate revocations within the Transport Layer Security (TLS) ecosystem. This work investigates the impact of the new CRLs on certificate revocation research, whether they are sufficient to gain a comprehensive view, and how the current revocation methods compare. We conducted weekly Internet-wide TLS measurements to collect X.509 certificates over port 443 for two years starting in March 2022. These scans resulted in 1.1 billion valid leaf certificates, including 4.5 million revoked certificates we identified using the Online Certificate Status Protocol (OCSP), CRLs, CCADB CRLs, and OCSP stapling. Our findings show that acquiring a comprehensive view of certificate revocations is challenging, primarily via the OCSP. Compared to the other methods, our analyses indicate that the CCADB CRLs provided the most complete view of global certificate revocations. They covered nearly the entirety of valid leaf certificates, found 44% more revocations than alternative methods, and less than 0.3% of the revocations were exclusively visible via the OCSP or conventional CRLs.
KW - Certificate Revocation Lists (CRLs)
KW - Common CA Database (CCADB)
KW - Internet-wide TLS Measurements
KW - Online Certificate Status Protocol (OCSP)
KW - X.509 Certificates
KW - X.509 Public Key Infrastructure
UR - http://www.scopus.com/inward/record.url?scp=85203020202&partnerID=8YFLogxK
U2 - 10.1109/EuroSPW61312.2024.00038
DO - 10.1109/EuroSPW61312.2024.00038
M3 - Conference contribution
AN - SCOPUS:85203020202
T3 - Proceedings - 9th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2024
SP - 297
EP - 306
BT - Proceedings - 9th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2024
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 8 July 2024 through 12 July 2024
ER -