Abstract
With the popular use of SSL/TLS, more and more web applications, such as online banking, e-mail, and ecommerce, turn to secured channels for communication, which rely on X.509 certificate for authentication. Generally, every certificate has a theoretical validity period when it is issued. However, the used period in practice is often different from the theoretical validity, namely, before or after the validity, for a long or short time. If a certificate is expired, it is easily to be exploited by cyber-attackers, leading to web users’ personal information at risk. To explore the security flaws of the SSL/TLS certificate, we conduct a large-scale measurement study of X.509 certificate life cycle from the view of leaf certificates. Based on a passive data set collected over one year, we investigate the certificate validity period in a fine-grained manner, and uncover that the actual usage of the certificates are not satisfactory. Meanwhile, we discover several security-related issues that may leave the web communication at risk. The recommendations are summarized to ensure the long-term security for certificate use in practice. We believe that the work will be beneficial to web security and improve the certificate utilization in the future.