Johannes Zirngibl

Johannes Zirngibl

Researcher at the Max Planck Institute For Informatics

An Internet-wide View on HTTPS Certificate Revocations: Observing the Revival of CRLs via Active TLS Scans

Authors: Markus Sosnowski, Johannes Zirngibl, Patrick Sattler, Juliane Aulbach, Jonas Lang, Georg Carle

Published in Proc. IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2024

Abstract:
A global decentral Public Key Infrastructure (PKI) is a key element of trusted and secure communication over the Internet. Such a PKI enables trust inference through digital signatures. However, the irrevocable nature of signatures and the complexities involved in distributing revocation information pose significant challenges. Recent updates to the root store policies of Mozilla and Apple now mandate that each Certificate Authority (CA) must publish Certificate Revocation Lists (CRLs) on the Common CA Database (CCADB) as of October 2022. This policy shift enables new approaches for acquiring a comprehensive view of certificate revocations within the Transport Layer Security (TLS) ecosystem. This work investigates the impact of the new CRLs on certificate revocation research, whether they are sufficient to gain a comprehensive view, and how the current revocation methods compare. We conducted weekly Internet-wide TLS measurements to collect X.509 certificates over port 443 for two years starting in March 2022. These scans resulted in 1.1 billion valid leaf certificates, including 4.5 million revoked certificates we identified using the Online Certificate Status Protocol (OCSP), CRLs, CCADB CRLs, and OCSP stapling. Our findings show that acquiring a comprehensive view of certificate revocations is challenging, primarily via the OCSP. Compared to the other methods, our analyses indicate that the CCADB CRLs provided the most complete view of global certificate revocations. They covered nearly the entirety of valid leaf certificates, found 44% more revocations than alternative methods, and less than 0.3% of the revocations were exclusively visible via the OCSP or conventional CRLs.

Recommended citation: Markus Sosnowski, Johannes Zirngibl, Patrick Sattler, Juliane Aulbach, Jonas Lang, Georg Carle, "An Internet-wide View on HTTPS Certificate Revocations: Observing the Revival of CRLs via Active TLS Scans." Proc. IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2024.