Portal de Periódicos da CAPES

An Evaluation of X.509 Certificate Revocation and Related Privacy Issues in the Web PKI Ecosystem

2023; Institute of Electrical and Electronics Engineers; Volume: 11; Linguagem: Inglês

10.1109/access.2023.3299357

2169-3536

Diana Berbecaru, Antonio Lioy,

Access Control and Trust

Supporting users to transact with websites securely in a privacy-preserving manner has become more challenging than ever in the Web PKI. One key element in establishing TLS (Transport Layer Security) communication channels is the X.509 certificate, typically used for authenticating the parties, which must be correctly validated upon use. This paper discusses first the X.509 certificate format and actors influencing the definition, management, and processing of certificates in commonly used applications. Subsequently, for the certificate validation part, we concentrate on certificate revocation status checking and related privacy aspects. Through experiments, we show that certificate revocation (status) checking is still incorrectly or incompletely performed in some common web browsers, mainly for the non Extended Validation (non-EV) certificates, even though the certificates contain extensions for this scope, and the web browsers implement (partly) this process. To this aim, we analyze the certificates in the Alexa Top 1 Million (Top1M) list containing the most widely accessed websites in August 2021. Then, we assess common browsers' behavior during revocation checking of EV and non-EV X.509 certificates. For non-EV certificates, the soft-fail approach was typically encountered, meaning the web browsers established TLS connections with the testbed web server when the revocation data was not available. For the EV certificates, the browsers implemented stricter controls. We discuss privacy issues related to certificate status checking, outlining that the so-called OCSP stapling mechanism may respond better to client latency and user privacy concerns. Finally, we analyze the adoption of the OCSP stapling mechanism and the support for Google's Certificate Transparency project in the Majestic Top1M list of website certificates in 2022. This work bridges the gap between X.509 standards/guidelines and real-world applications' behavior in applying recommendations while handling certificates.