{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T00:30:04Z","timestamp":1766449804777,"version":"3.44.0"},"reference-count":36,"publisher":"Association for Computing Machinery (ACM)","issue":"CoNEXT3","license":[{"start":{"date-parts":[[2023,11,27]],"date-time":"2023-11-27T00:00:00Z","timestamp":1701043200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"CROSSING","award":["1119"],"award-info":[{"award-number":["1119"]}]},{"name":"ATHENE"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Netw."],"published-print":{"date-parts":[[2023,11,27]]},"abstract":"<jats:p>The TLS ecosystem depends on certificates to bootstrap secure connections. Certificate Authorities (CAs) are trusted to issue these correctly. However, as a result of security breaches or attacks, certificates may be issued fraudulently and need to be revoked prematurely.<\/jats:p>\n          <jats:p>Revocation, as a reactive measure, is fundamentally damage control and, as such, time is critical. Therefore, measuring reaction delay is the first step to identifying how well the revocation system functions.<\/jats:p>\n          <jats:p>In this paper we attempt to characterize the current performance of the WebPKI in dealing with fraudulent certificates. We present measurements of each step in the revocation process: the detection of certificate issuance through Certificate Transparency (CT) monitoring, the administrative revocation process at popular CAs, and the revocation checking behavior of end-user clients, both in a controlled virtualized environment and in the wild. We perform two live measurements, in 2022 and 2023, respectively, to provide a longitudinal comparison.<\/jats:p>\n          <jats:p>We find that detection and revocation of fraudulent certificates is quick and efficient when leveraging CT and can be completed within 6.5 hours on average. Furthermore, CT is being increasingly enforced by some browsers. However, \u223c83% of the clients we observed, across popular browsers, brands and OSes, completely disregard a certificate's status, whileall of the studied browsers still display soft-fail behavior, making them vulnerable to attackers capable of interfering with the network. Of the clients that do check revocation, we find that 35% can be made to accept a revoked certificate through the use of OCSP Stapling. We expect this number to grow with client-side adoption of OCSP Stapling [RFC6961]. Current OCSP expiration times allow a revoked certificate to remain fully valid for up to 7 days for the majority of CAs, exposing clients to attacks.<\/jats:p>","DOI":"10.1145\/3629148","type":"journal-article","created":{"date-parts":[[2023,11,28]],"date-time":"2023-11-28T15:40:05Z","timestamp":1701186005000},"page":"1-20","update-policy":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Revocation Speedrun: How the WebPKI Copes with Fraudulent Certificates"],"prefix":"10.1145","volume":"1","author":[{"ORCID":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/orcid.org\/0000-0001-7809-3647","authenticated-orcid":false,"given":"Jens","family":"Friess","sequence":"first","affiliation":[{"name":"ATHENE &amp; TU Darmstadt &amp; Fraunhofer SIT, Darmstadt, Germany"}]},{"ORCID":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/orcid.org\/0000-0002-8130-0472","authenticated-orcid":false,"given":"Haya","family":"Schulmann","sequence":"additional","affiliation":[{"name":"ATHENE &amp; Goethe-Universit\u00e4t Frankfurt &amp; Fraunhofer SIT, Frankfurt, Germany"}]},{"ORCID":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/orcid.org\/0000-0001-7919-9961","authenticated-orcid":false,"given":"Michael","family":"Waidner","sequence":"additional","affiliation":[{"name":"ATHENE &amp; TU Darmstadt &amp; Fraunhofer SIT, Darmstadt, Germany"}]}],"member":"320","published-online":{"date-parts":[[2023,11,28]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Apple. 2017. Your Apps and Evolving Network Security Standards. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/developer.apple.com\/videos\/play\/wwdc2017\/701\/"},{"key":"e_1_2_1_2_1","unstructured":"Apple. 2021a. Apple Platform Security: Certificate validity checking. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/support.apple.com\/guide\/security\/tls-security-sec100a75d12\/1\/web\/1"},{"key":"e_1_2_1_3_1","unstructured":"Apple. 2021b. Log List. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/valid.apple.com\/ct\/log_list\/current_log_list.json"},{"key":"e_1_2_1_4_1","doi-asserted-by":"crossref","unstructured":"R. Barnes J. Hoffman-Andrews D. McCarney and J. Kasten. 2019. Automatic Certificate Management Environment (ACME). RFC 8555. RFC Editor.","DOI":"10.17487\/RFC8555"},{"key":"e_1_2_1_5_1","volume-title":"Proc. 27th USENIX Security Symposium (USENIX Security 18)","author":"Birge-Lee Henry","year":"2018","unstructured":"Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, and Prateek Mittal. 2018. Bamboozling Certificate Authorities with BGP. In Proc. 27th USENIX Security Symposium (USENIX Security 18) (2018), 833 -- 849."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243790"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3278532.3278543"},{"key":"e_1_2_1_8_1","unstructured":"Comodo. 2011. Comodo Fraud Incident 2011-03-23. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.comodo.com\/Comodo-Fraud-Incident-2011-03-23.html"},{"key":"e_1_2_1_9_1","series-title":"Lecture Notes in Computer Science","volume-title":"Verifiable Light-Weight Monitoring forCertificate Transparency Logs","author":"Dahlberg Rasmus","unstructured":"Rasmus Dahlberg and Tobias Pulls. 2018. Verifiable Light-Weight Monitoring forCertificate Transparency Logs. In Lecture Notes in Computer Science, N. Gruschka (Ed.). Vol. 11252. Springer, 171--183."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484815"},{"key":"e_1_2_1_11_1","unstructured":"Google. 2021a. The list of existing monitors. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/certificate.transparency.dev\/monitors\/"},{"key":"e_1_2_1_12_1","unstructured":"Google. 2021b. Log List. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.gstatic.com\/ct\/log_list\/v2\/log_list.json"},{"key":"e_1_2_1_13_1","doi-asserted-by":"crossref","unstructured":"P. Hallam-Baker. 2015. X.509v3 Transport Layer Security (TLS) Feature Extension. RFC 7633. RFC Editor.","DOI":"10.17487\/RFC7633"},{"key":"e_1_2_1_14_1","unstructured":"Scott Helme. 2017. Revocation is Broken. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/scotthelme.co.uk\/revocation-is-broken\/"},{"key":"e_1_2_1_15_1","volume-title":"Cybercriminals Seized Control of Brazilian Bank for 5 Hours","author":"Higgins Kelly Jackson","year":"2017","unstructured":"Kelly Jackson Higgins. 2017. Cybercriminals Seized Control of Brazilian Bank for 5 Hours. Informa PLC Dark Reading (04 2017). https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.darkreading.com\/attacks-breaches\/cybercriminals-seized-control-of-brazilian-bank-for-5-hours\/d\/d-id\/1328549"},{"key":"e_1_2_1_16_1","volume-title":"Number of worldwide internet users","author":"Johnson Joseph","year":"2021","unstructured":"Joseph Johnson. 2021. Number of worldwide internet users in 2021, by region. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.statista.com\/statistics\/249562\/number-of-worldwide-internet-users-by-region\/"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453100"},{"key":"e_1_2_1_18_1","unstructured":"Adam Langley. 2013a. Enhancing digital certificate security. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/security.googleblog.com\/2013\/01\/enhancing-digital-certificate-security.html"},{"key":"e_1_2_1_19_1","unstructured":"Adam Langley. 2013b. Further improving digital certificate security. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/security.googleblog.com\/2013\/12\/further-improving-digital-certificate.html"},{"key":"e_1_2_1_20_1","volume-title":"Certificate Transparency - Public, verifiable, append-only logs. ACM Queue","author":"Laurie Ben","year":"2014","unstructured":"Ben Laurie. 2014. Certificate Transparency - Public, verifiable, append-only logs. ACM Queue (2014). https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/pdos.csail.mit.edu\/6.824\/papers\/ct.pdf"},{"key":"e_1_2_1_21_1","unstructured":"Ben Laurie Adam Langley and Emilia Kasper. 2013. Certificate Transparency. RFC 6962. RFC Editor. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.rfc-editor.org\/rfc\/rfc6962.txt"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom\/BigDataSE.2019.00037"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3345653"},{"key":"e_1_2_1_24_1","volume-title":"Proc. 22nd USENIX Security Symposium (08","author":"Lian Wilson","year":"2013","unstructured":"Wilson Lian, Eric Rescorla, Hovav Shacham, and Stefan Savage. 2013. Measuring the Practical Impact of DNSSEC Deployment. Proc. 22nd USENIX Security Symposium (08 2013). https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.usenix.org\/system\/files\/conference\/usenixsecurity13\/sec13-paper_lian.pdf"},{"key":"e_1_2_1_25_1","volume-title":"TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-Scale DNS Analysis. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE Computer Society, 560--575","author":"Liu Baojun","year":"2019","unstructured":"Baojun Liu, Zhou Li, Peiyuan Zong, Chaoyi Lu, Haixin Duan, Ying Liu, Sumayah Alrwais, Xiaofeng Wang, Shuang Hao, Yaoqi Jia, et al. 2019. TraffickStop: Detecting and Measuring Illicit Traffic Monetization Through Large-Scale DNS Analysis. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE Computer Society, 560--575."},{"key":"e_1_2_1_26_1","volume-title":"Dangling Domains: Security Threats, Detection and Prevalence. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/unit42.paloaltonetworks.com\/dangling-domains\/","author":"Liu Daiping","year":"2021","unstructured":"Daiping Liu and Ruian Duan. 2021. Dangling Domains: Security Threats, Detection and Prevalence. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/unit42.paloaltonetworks.com\/dangling-domains\/"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978387"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2815675.2815685"},{"key":"e_1_2_1_29_1","unstructured":"Mozilla. 2021. CA\/Revocation Checking in Firefox. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/wiki.mozilla.org\/CA\/Revocation_Checking_in_Firefox"},{"key":"e_1_2_1_30_1","unstructured":"Nick Naziridis. 2019. Page Load Optimization: OCSP Stapling. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.ssl.com\/article\/page-load-optimization-ocsp-stapling\/"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2896816"},{"key":"e_1_2_1_32_1","unstructured":"Aaron Russell. 2021. How Do Browsers Handle Revoked SSL\/TLS Certificates? https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.ssl.com\/blogs\/how-do-browsers-handle-revoked-ssl-tls-certificates\/"},{"key":"e_1_2_1_33_1","unstructured":"Alexey Samoshkin. 2018. SSL certificate revocation and how it is broken in practice. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/medium.com\/@alexeysamoshkin\/how-ssl-certificate-revocation-is-broken-in-practice-af3b63b9cb3"},{"key":"e_1_2_1_34_1","unstructured":"Panda Security. 2018. The MEW DNS hijack hack -- and how to protect yourself. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.pandasecurity.com\/en\/mediacenter\/news\/mew-dns-hijack-hack\/"},{"key":"e_1_2_1_35_1","unstructured":"Paul Smith. 2016. Bulletproof Hosting. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.blueangelhost.com\/blog\/bulletproof-hosting\/"},{"key":"e_1_2_1_36_1","unstructured":"Kim Zetter. 2011. DigiNotar Files for Bankruptcy in Wake of Devastating Hack. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.wired.com\/2011\/09\/diginotar-bankruptcy\/"}],"container-title":["Proceedings of the ACM on Networking"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/dl.acm.org\/doi\/10.1145\/3629148","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/dl.acm.org\/doi\/pdf\/10.1145\/3629148","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T00:04:13Z","timestamp":1755907453000},"score":1,"resource":{"primary":{"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/dl.acm.org\/doi\/10.1145\/3629148"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,27]]},"references-count":36,"journal-issue":{"issue":"CoNEXT3","published-print":{"date-parts":[[2023,11,27]]}},"alternative-id":["10.1145\/3629148"],"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1145\/3629148","relation":{},"ISSN":["2834-5509"],"issn-type":[{"type":"electronic","value":"2834-5509"}],"subject":[],"published":{"date-parts":[[2023,11,27]]},"assertion":[{"value":"2023-11-28","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}