Certificate Validation and Domain Impersonation

Security of the World Wide Web ecosystem depends on the ability of web browsers of detecting revoked certificates. TLS protocol ensures a secure connection between two entities, but it could not be enough in case browsers accept connection with web server hosting revoked certificates. In this work, I firstly analyse a X.509 certificate dataset corresponding to the Alexa Top 1M Sites. I find that more than 55% of certificate belonging to the data set has been issued by Let’s Encrypt and 4054 end-entity certificates does not provide a way for checking their revocation status. I also study the behaviour of 6 different web browsers on handling revocation information under different situations and operating systems. I surprisingly find out that browsers apply always a soft fail approach when revocation information are not available and some of them check revocation status of the entire certificates appearing in the chain only in presence of EV-certificates. Finally I tests TLS implementations of some libraries that provide a command line utility for emulating a TLS client and establishing a TLS connection with web server belonging to the Alexa Top 1M list. Results show TLS implementations validate differently certificate chains and some of them do not check the revocation status.