Skip to main content
SpringerLink
Log in

Trust Issue(r)s: Certificate Revocation and Replacement Practices in the Wild

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14538))

Included in the following conference series:

  • 101 Accesses

Abstract

Every time we use the web, we place our trust in X.509 certificates binding public keys to domain identities. However, for these certificates to be trustworthy, proper issuance, management, and timely revocations (in cases of compromise or misuse) are required. While great efforts have been placed on ensuring trustworthiness in the issuance of new certificates, there has been a scarcity of empirical studies on revocation management. This study offers the first comprehensive analysis of certificate replacements (CRs) of revoked certificates. It provides a head-to-head comparison of the CRs where the replaced certificate was revoked versus not revoked. Leveraging two existing datasets with overlapping timelines, we create a combined dataset containing 1.5 million CRs that we use to unveil valuable insights into the effect of revocations on certificate management. Two key questions guide our research: (1) the influence of revocations on certificate replacement behavior and (2) the effectiveness of revocations in fulfilling their intended purpose. Our statistical analysis reveals significant variations in revocation rates, retention rates, and post-revocation usage, shedding light on differences in Certificate Authorities’ (CAs) practices and subscribers’ decisions. Notably, a substantial percentage of revoked certificates were either observed or estimated to be used after revocation, raising concerns about key-compromise instances. Finally, our findings highlight shortcomings in existing revocation protocols and practices, emphasizing the need for improvements. We discuss ongoing efforts and potential solutions to address these issues, offering valuable guidance for enhancing the security and integrity of web communications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    From our data, Microsoft has only issued certificates to themselves or affiliated organizations, such as MSN or Skype etc.

References

  1. Akhawe, D., Felt, A.P.: Alice in Warningland: a large-scale field study of browser security warning effectiveness. In: Proceedings of the USENIX Security Symposium, pp. 257–272. USENIX Security 2013, USENIX Association, Washington, D.C. (2013). https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/akhawe

  2. Apple: About upcoming limits on trusted certificates (2020). https://support.apple.com/en-us/102028

  3. Barnes, R., Hoffman-Andrews, J., McCarney, D., Kasten, J.: Automatic Certificate Management Environment (ACME). RFC 8555 (2019). https://doi.org/10.17487/RFC8555

  4. Boeyen, S., Santesson, S., Polk, T., Housley, R., Farrell, S., Cooper, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (2008). https://doi.org/10.17487/RFC5280

  5. Bruhner, C.M., Linnarsson, O., Nemec, M., Arlitt, M., Carlsson, N.: Changing of the guards: certificate and public key management on the internet. In: Proceeding of Passive and Active Measurement Conference, pp. 50–80. PAM 2022, Virtual (2022). https://doi.org/10.1007/978-3-030-98785-5_3

  6. CA/Browser Forum: Ballot SC31: Browser Alignment (2020). https://cabforum.org/2020/07/16/ballot-sc31-browser-alignment/

  7. CA/Browser Forum: Guidelines for the Issuance and Management of Extended Validation Certificates (2022). https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-1.8.0.pdf

  8. CA/Browser Forum: Ballot SC-063 v4: Make OCSP Optional, Require CRLs, and Incentivize Automation (2023). https://cabforum.org/2023/07/14/ballot-sc-063-v4make-ocsp-optional-require-crls-and-incentivize-automation/

  9. CA/Browser Forum: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 2.0.1 (2023). https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.1.pdf

  10. Certificate Transparency: Our Successes. https://certificate.transparency.dev/community/#successes-grid

  11. Chung, T., et al.: Measuring and applying invalid SSL certificates: the silent majority. In: Proceedings of the Internet Measurement Conference, pp. 527–541. IMC 2016, ACM, Santa Monica, CA (2016). https://doi.org/10.1145/2987443.2987454

  12. Chung, T., et al.: Is the web ready for OCSP must-staple? In: Proceedings of the Internet Measurement Conference, pp. 105–118. IMC 2018, ACM, Boston, MA (2018). https://doi.org/10.1145/3278532.3278543

  13. DigiCert: DigiCert Encryption Everywhere Partner Program (2020). https://www.digicert.com/content/dam/digicert/pdfs/guide/partner-program-guide-en.pdf

  14. Durumeric, Z., et al.: The matter of Heartbleed. In: Proceedings of the Internet Measurement Conference, pp. 475–488. IMC 2014, ACM, Vancouver, BC, Canada (2014). https://doi.org/10.1145/2663716.2663755

  15. Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the USENIX Security Symposium, pp. 605–620. USENIX Security 2013, USENIX Association, Washington, D.C. (2013). https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/durumeric

  16. Farhan, S.M., Chung, T.: Exploring the evolution of TLS certificates. In: Proceeding of Passive and Active Measurement Conference, pp. 71–84. PAM 2023, Virtual (2023). https://doi.org/10.1007/978-3-031-28486-1_4

  17. Gable, A.: A New Life for Certificate Revocation Lists - Let’s Encrypt (2022). https://letsencrypt.org/2022/09/07/new-life-for-crls.html

  18. Google Security Blog: Chrome’s Plan to Distrust Symantec Certificates (2018). https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

  19. Halim, A., Danielsson, M., Arlitt, M., Carlsson, N.: Temporal analysis of X.509 revocations and their statuses. In: 2022 IEEE European Symposium on Security and Privacy Workshops, pp. 258–265. EuroS &PW 2022, Genoa, Italy (2022). https://doi.org/10.1109/EuroSPW55150.2022.00032

  20. Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements. In: Proceedings of the Internet Measurement Conference, pp. 427–444. IMC 2011, ACM, Berlin, Germany (2011). https://doi.org/10.1145/2068816.2068856

  21. Jones, J.: Design of the CRLite Infrastructure (2020). https://blog.mozilla.org/security/2020/12/01/crlite-part-4-infrastructure-design/

  22. Kim, D., Kwon, B.J., Kozák, K., Gates, C., Dumitraş, T.: The broken shield: measuring revocation effectiveness in the windows code-signing PKI. In: Proceedings of the USENIX Security Symposium, pp. 851–868. USENIX Security 2018, USENIX Association, Baltimore, MD (2018). https://www.usenix.org/conference/usenixsecurity18/presentation/kim

  23. Korzhitskii, N., Carlsson, N.: Revocation Statuses on the Internet. In: Proceeding of Passive and Active Measurement Conference, pp. 175–191. PAM 2021, Virtual (2021). https://doi.org/10.1007/978-3-030-72582-2_11

  24. Larisch, J., et al.: Hammurabi: a framework for pluggable, logic-based X.509 certificate validation policies. In: Proceedings of the Conference on Computer and Communications Security, pp. 1857–1870. CCS 2022, ACM, Los Angeles, CA (2022). https://doi.org/10.1145/3548606.3560594

  25. Larisch, J., Choffnes, D., Levin, D., Maggs, B.M., Mislove, A., Wilson, C.: CRLite: a scalable system for pushing all TLS revocations to all browsers. In: 2017 IEEE Symposium on Security and Privacy, pp. 539–556. S &P 2017, IEEE, San Jose, CA (2017). https://doi.org/10.1109/SP.2017.17

  26. Laurie, B., Langley, A., Kasper, E., Messeri, E., Stradling, R.: Certificate Transparency Version 2.0. RFC 9162 (2021). https://doi.org/10.17487/RFC9162

  27. Let’s Encrypt: Integration Guide. Internet Security Research Group (2016). https://letsencrypt.org/docs/integration-guide/

  28. Let’s Encrypt: 2020.02.29 CAA Rechecking Bug (2020). https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591

  29. Liu, Y., et al.: An end-to-end measurement of certificate revocation in the web’s PKI. In: Proceedings of the Internet Measurement Conference, pp. 183–196. IMC 2015, ACM, Tokyo, Japan (2015). https://doi.org/10.1145/2815675.2815685

  30. Ma, Z., et al.: Stale TLS certificates: investigating precarious third-party access to valid TLS keys. In: Proceedings of the Internet Measurement Conference, pp. 222–235. IMC 2023, ACM, Montreal QC, Canada (2023). https://doi.org/10.1145/3618257.3624802

  31. Microsoft: Microsoft Edge - Policies (2023). https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies

  32. Mozilla: CA/Revocation Checking in Firefox (2021). https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox#OneCRL

  33. Omolola, O., Roberts, R., Ashiq, M.I., Chung, T., Levin, D., Mislove, A.: Measurement and analysis of automated certificate reissuance. In: Proceeding of Passive and Active Measurement Conference, pp. 161–174. PAM 2021, Virtual (2021). https://doi.org/10.1007/978-3-030-72582-2_10

  34. Pettersen, Y.N.: The Transport Layer Security (TLS) Multiple Certificate Status Request Extension. RFC 6961 (2013). https://doi.org/10.17487/RFC6961

  35. Rapid7: Open Data: SSL Certificates. https://opendata.rapid7.com/sonar.ssl/

  36. Rapid7: Project Sonar. https://www.rapid7.com/research/project-sonar/

  37. Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, D.C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960 (2013). https://doi.org/10.17487/RFC6960

  38. Sectigo: What is a Self-Signed Certificate (2021). https://sectigo.com/resource-library/what-is-a-self-signed-certificate

  39. Sheffer, Y., Lopez, D., de Dios, O.G., Pastor, A., Fossati, T.: Support for Short-Term, Automatically Renewed (STAR) Certificates in the Automated Certificate Management Environment (ACME). RFC 8739 (2020). https://doi.org/10.17487/RFC8739

  40. SSLmate: Certificate Transparency Log Growth. https://sslmate.com/labs/ct_growth/

  41. Statcounter GlobalStats: Browser Market Share Worldwide (2023). https://gs.statcounter.com/browser-market-share

  42. Statista: global market share held by leading internet browsers from January 2012 to January 2023 (2023). https://www.statista.com/statistics/268254/market-share-of-internet-browsers-worldwide-since-2009/

  43. The Chromium Projects: CRLSets. https://www.chromium.org/Home/chromium-security/crlsets/

  44. The Chromium Projects: Chrome Root Program Policy, Version 1.4 (2023). https://www.chromium.org/Home/chromium-security/root-ca-policy/

  45. The Chromium Projects: Moving Forward, Together (2023). https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/

  46. TrustAsia: TrustAsia CA Certificate Practice Statement (CPS) V1.1 (8 2020). https://repository.trustasia.com/repo/cps/TrustAsia-Global-CP-CPS_EN_V1.1.pdf

  47. Yee, P.E.: Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 6818 (2013). https://doi.org/10.17487/RFC6818

  48. Zhang, L., et al.: Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. Commun. ACM 61(3), 109–116 (2018). https://doi.org/10.1145/3176244

    Article  Google Scholar 

  49. Zhu, L., Amann, J., Heidemann, J.: Measuring the latency and pervasiveness of TLS certificate revocation. In: Proceeding of Passive and Active Measurement Conference, pp. 16–29. PAM 2016, Heraklion, Greece (2016). https://doi.org/10.1007/978-3-319-30505-9_2

Download references

Acknowledgments

This work was partially supported by the Wallenberg AI, Autonomous Systems and Software Program (WASP) funded by the Knut and Alice Wallenberg Foundation.

Author information

Authors and Affiliations

  1. Linköping University, Linköping, Sweden

    David Cerenius, Martin Kaller, Carl Magnus Bruhner & Niklas Carlsson

  2. University of Calgary, Calgary, Canada

    Martin Arlitt

Authors
  1. David Cerenius
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Kaller
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Carl Magnus Bruhner
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Martin Arlitt
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Niklas Carlsson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Carl Magnus Bruhner .

Editor information

Editors and Affiliations

  1. Akamai Technologies, Cambridge, MA, USA

    Philipp Richter

  2. Hasso Plattner Institute, Potsdam, Germany

    Vaibhav Bajpai

  3. Northwestern University, Evanston, IL, USA

    Esteban Carisimo

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cerenius, D., Kaller, M., Bruhner, C.M., Arlitt, M., Carlsson, N. (2024). Trust Issue(r)s: Certificate Revocation and Replacement Practices in the Wild. In: Richter, P., Bajpai, V., Carisimo, E. (eds) Passive and Active Measurement. PAM 2024. Lecture Notes in Computer Science, vol 14538. Springer, Cham. https://doi.org/10.1007/978-3-031-56252-5_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-56252-5_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-56251-8

  • Online ISBN: 978-3-031-56252-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation