Revocation Statuses on the Internet

02/08/2021
by   Nikita Korzhitskii, et al.
0

The modern Internet is highly dependent on the trust communicated via X.509 certificates. However, in some cases certificates become untrusted and it is necessary to revoke them. In practice, the problem of secure certificate revocation has not yet been solved, and today no revocation procedure (similar to Certificate Transparency w.r.t. certificate issuance) has been adopted to provide transparent and immutable history of all revocations. Instead, the status of most certificates can only be checked with Online Certificate Status Protocol (OCSP) and/or Certificate Revocation Lists (CRLs). In this paper, we present the first longitudinal characterization of the revocation statuses delivered by CRLs and OCSP servers from the time of certificate expiration to status disappearance. The analysis captures the status history of over 1 million revoked certificates, including 773K certificates mass-revoked by Let's Encrypt. Our characterization provides a new perspective on the Internet's revocation rates, quantifies how short-lived the revocation statuses are, highlights differences in revocation practices within and between different CAs, and captures biases and oddities in the handling of revoked certificates. Combined, the findings motivate the development and adoption of a revocation transparency standard.

READ FULL TEXT
research
03/03/2022

Postcertificates for Revocation Transparency

The modern Internet is highly dependent on trust communicated via certif...
research
09/30/2021

Third Time's Not a Charm: Exploiting SNMPv3 for Router Fingerprinting

In this paper, we show that adoption of the SNMPv3 network management pr...
research
11/28/2022

Internet of Behaviors: A Survey

The Internet of Behavior is a research theme that aims to analyze human ...
research
02/23/2019

Blockchain And The Future of the Internet:A Comprehensive Review

Blockchain is challenging the status quo of the central trust infrastruc...
research
03/19/2021

Trustworthy Transparency by Design

Individuals lack oversight over systems that process their data. This ca...
research
06/11/2018

CertLedger: A New PKI Model with Certificate Transparency Based on Blockchain

In conventional PKI, CAs are assumed to be fully trusted. However, in pr...

Please sign up or login with your details

Forgot password? Click here to reset