The security and integrity of TLS certificates are essential for ensuring secure transmission over the Internet and protecting millions of people from man-in-the-middle attacks. Certificate Authorities (CAs) play a crucial role in issuing and managing these certificates. This paper presents a longitudinal analysis of certificate chains for popular domains, examining their evolution over time and across different categories. Using publicly available certificate data, primarily from crt.sh, we created a longitudinal dataset of certificate chains for domains from the Tranco top-1M list. After categorizing the certificates based on their type and service category, we analyze a selected set of domains over time and identify the patterns and trends that emerge in their certificate chains. Our analysis reveals several noteworthy trends, including a trend towards shorter certificate chains and fewer paths from domains to root certificates. This implies that the certificate process is becoming more simplified and streamlined. Combined with our observations that there is an increasing use of new CAs and a shift in the types of certificates used that we observe, we expect part of this to be an effect of individual choices made by some popular CAs (e.g., less cross-signings). In general, the observed trends, patterns, and findings capture tradeoffs in overhead, backward compatibility, and security. The quick shifts in some of the observed metrics (e.g., chain lengths) therefore also highlight the importance of continued monitoring and analysis of certificate chains.

Every time we use the web, we place our trust in X.509 certificates binding public keys to domain identities. However, for these certificates to be trustworthy, proper issuance, management, and timely revocations (in cases of compromise or misuse) are required. While great efforts have been placed on ensuring trustworthiness in the issuance of new certificates, there has been a scarcity of empirical studies on revocation management. This study offers the first comprehensive analysis of certificate replacements (CRs) of revoked certificates. It provides a head-to-head comparison of the CRs where the replaced certificate was revoked versus not revoked. Leveraging two existing datasets with overlapping timelines, we create a combined dataset containing 1.5 million CRs that we use to unveil valuable insights into the effect of revocations on certificate management. Two key questions guide our research: (1) the influence of revocations on certificate replacement behavior and (2) the effectiveness of revocations in fulfilling their intended purpose. Our statistical analysis reveals significant variations in revocation rates, retention rates, and post-revocation usage, shedding light on differences in Certificate Authorities' (CAs) practices and subscribers' decisions. Notably, a substantial percentage of revoked certificates were either observed or estimated to be used after revocation, raising concerns about key-compromise instances. Finally, our findings highlight shortcomings in existing revocation protocols and practices, emphasizing the need for improvements. We discuss ongoing efforts and potential solutions to address these issues, offering valuable guidance for enhancing the security and integrity of web communications.

In the age of the General Data Protection Regula-tion (GDPR) and the California Consumer Privacy Act (CCPA),privacy and consent control have become even more apparent forevery-day web users. Privacy banners in all shapes and sizes askfor permission through more or less challenging designs and makeprivacy control more of a struggle than they help users’ privacy.In this paper, we present a novel solution expanding the AdvancedData Protection Control (ADPC) mechanism to bridge currentgaps in user data and privacy control. Our solution moves theconsent control to the browser interface to give users a seamlessand hassle-free experience, while at the same time offering contentproviders a way to be legally compliant with legislation. Throughan extensive review, we evaluate previous works and identifycurrent gaps in user data control. We then present a blueprintfor future implementation and suggest features to support privacycontrol online for users globally. Given browser support, thesolution provides a tangible path to effectively achieve legallycompliant privacy and consent control in a user-oriented mannerthat could allow them to again browse the web seamlessly.

Certificates are the foundation of secure communication over the internet. However, not all certificates are created and managed in a consistent manner and the certificate authorities (CAs) issuing certificates achieve different levels of trust. Furthermore, user trust in public keys, certificates, and CAs can quickly change. Combined with the expectation of 24/7 encrypted access to websites, this quickly evolving landscape has made careful certificate management both an important and challenging problem. In this paper, we first present a novel server-side characterization of the certificate replacement (CR) relationships in the wild, including the reuse of public keys. Our data-driven CR analysis captures management biases, highlights a lack of industry standards for replacement policies, and features successful example cases and trends. Based on the characterization results we then propose an efficient solution to an important revocation problem that currently leaves web users vulnerable long after a certificate has been revoked.