How to Measure TLS, X.509 Certificates, and Web PKI: A Tutorial and Brief Survey

Pouyan Fotouhi Tehrani,Eric Osterweil,Thomas C. Schmidt,Matthias Wählisch
2024-02-01
Abstract:Transport Layer Security (TLS) is the base for many Internet applications and services to achieve end-to-end security. In this paper, we provide guidance on how to measure TLS deployments, including X.509 certificates and Web PKI. We introduce common data sources and tools, and systematically describe necessary steps to conduct sound measurements and data analysis. By surveying prior TLS measurement studies we find that diverging results are rather rooted in different setups instead of different deployments. To improve the situation, we identify common pitfalls and introduce a framework to describe TLS and Web PKI measurements. Where necessary, our insights are bolstered by a data-driven approach, in which we complement arguments by additional measurements.
Networking and Internet Architecture,Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is about how to measure Transport Layer Security (TLS), X.509 certificates and Web Public Key Infrastructure (Web PKI). Specifically, the paper aims to provide guidance to help researchers understand how to measure TLS deployments, including the measurement methods of X.509 certificates and Web PKI. The paper emphasizes the challenges and common pitfalls in the measurement process and proposes a framework to systematically describe and compare the measurement results of TLS and Web PKI. ### Main problems and objectives 1. **Provide measurement guidelines**: The paper provides a methodology for measuring TLS deployments, including the selection of data sources, the use of tools, and the specific steps for measurement preparation and execution. 2. **Identify common problems**: By reviewing previous research, the paper points out that differences in measurement results often stem from different measurement settings rather than differences in actual deployments. 3. **Propose a framework**: In order to improve the consistency and reliability of measurement, the paper proposes a framework for describing and standardizing the measurement process of TLS and Web PKI. 4. **Data - driven approach**: The paper adopts a data - driven approach, using its own measurement data to support its arguments and ensuring that the proposed insights have an empirical basis. 5. **Summarize common pitfalls**: The paper summarizes common mistakes in interpreting measurement data, helping future research avoid these pitfalls. ### Background and importance TLS is the basis for many Internet applications and services to achieve end - to - end security. Understanding the current situation of different TLS deployments is crucial for evaluating the security of Internet communications. However, due to the application - specific implementation of TLS, its inherent flexibility and different measurement settings, measuring TLS and Web PKI faces many challenges. By providing systematic guidance and a framework, the paper aims to improve the accuracy and comparability of measurement, thereby promoting in - depth understanding of the TLS ecosystem.