How to Measure TLS, X.509 Certificates, and Web PKI: A Tutorial and Brief Survey
Pouyan Fotouhi Tehrani, Eric Osterweil, Thomas C. Schmidt, Matthias Wählisch
TL;DR
This paper presents a structured approach to measuring TLS deployments, X.509 certificates, and Web PKI by surveying prior work, proposing a cohesive measurement framework, and validating it with three independent datasets. It emphasizes a taxonomy of measurement aspects (TLS and Web PKI), longitudinal versus snapshot frequency, and passive versus active data collection, while detailing data sources, tooling, and best practices. The authors highlight common causes of divergence in measurement results, such as differing setups and data sources, and provide guidance to minimize such inconsistencies, including temporal integrity, reproducibility, and robust data interpretation. The practical impact is a set of concrete recommendations and a reproducible workflow for researchers and operators to assess TLS/Web PKI deployments, CA practices, DNS interactions, and user-facing security properties.
Abstract
Transport Layer Security (TLS) is the base for many Internet applications and services to achieve end-to-end security. In this paper, we provide guidance on how to measure TLS deployments, including X.509 certificates and Web PKI. We introduce common data sources and tools, and systematically describe necessary steps to conduct sound measurements and data analysis. By surveying prior TLS measurement studies we find that diverging results are rather rooted in different setups instead of different deployments. To improve the situation, we identify common pitfalls and introduce a framework to describe TLS and Web PKI measurements. Where necessary, our insights are bolstered by a data-driven approach, in which we complement arguments by additional measurements.