Digital certificates are one of the fundamental components of secure communication protocols where endpoint authentication is desired. However, despite their fundamental role, widespread and widely used libraries approach the certificate validation problem through handcrafted parsers, which are hard to check for correctness. In this work, we investigate the current state of health of the X.509 digital certificate ecosystem, focusing on the ones employed in TLS communications. We perform a comparative analysis of the syntactic and semantic validation capabilities of existing libraries, on a total of 30 million certificates, collected from openly available HTTPS endpoints. Our findings highlight how the current state of health of the X.509 certificates ecosystem has improved in the last 5 years, mainly due to the convergence of the root certification authorities into a small set of highly reliable ones. Despite this, we practically validate the fact that current X.509 managing libraries have significant discrepancies in validation, leading to a large number of certificates being either valid or invalid, depending on the library performing the validation.
Investigating The Health State Of X.509 Digital Certificate
S. Orlando;A. Barenghi;G. Pelosi
2024-01-01
Abstract
Digital certificates are one of the fundamental components of secure communication protocols where endpoint authentication is desired. However, despite their fundamental role, widespread and widely used libraries approach the certificate validation problem through handcrafted parsers, which are hard to check for correctness. In this work, we investigate the current state of health of the X.509 digital certificate ecosystem, focusing on the ones employed in TLS communications. We perform a comparative analysis of the syntactic and semantic validation capabilities of existing libraries, on a total of 30 million certificates, collected from openly available HTTPS endpoints. Our findings highlight how the current state of health of the X.509 certificates ecosystem has improved in the last 5 years, mainly due to the convergence of the root certification authorities into a small set of highly reliable ones. Despite this, we practically validate the fact that current X.509 managing libraries have significant discrepancies in validation, leading to a large number of certificates being either valid or invalid, depending on the library performing the validation.| File | Dimensione | Formato | |
|---|---|---|---|
|
Investigating_the_Health_State_of_X.509_Digital_Certificates.pdf
accesso aperto
Descrizione: Main article
:
Publisher’s version
Dimensione
258.98 kB
Formato
Adobe PDF
|
258.98 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
