DigitalCertiAnalytics: A tool for collection and analysis of X.509v3 digital certificates

The progressive evolution of digital communications requires ever more accurate and sophisticated protection, which is why this thesis focuses on the in-depth analysis of digital certificates, fundamental elements for ensuring the integrity and protection of information. The work is divided into two main macro sections: on the one hand, it offers a theoretical examination that describes how certificates work, illustrating the various types of certificates (EV, OV, DV), the chain structure and control mechanisms such as the Signed Certificate Timestamp (SCT) and Certificate Transparency (CT), with particular attention to the implications in terms of security and privacy. On the other hand, the original contribution of the thesis takes the form of the implementation of DigitalCertiAnalytics, a software designed ad hoc for the collection, verification and analysis of certificates, capable of operating on large-scale datasets, as demonstrated by the study carried out on 20 million domains. The software has been developed to operate on data from heterogeneous sources, such as DomCop and Google CrUX, to assess the validity, distribution and anomalies present in certificate chains, highlighting differences in the presence of SCT, performance and privacy impacts, and validation processes. Furthermore, by means of a critical comparison supported by graphs and statistical analysis, the requirements of the CA/Browser Forum and the standards defined by the RFCs are compared, with the aim of identifying possible areas of improvement in the current standards. Finally, the thesis concludes with a reflection on possible future developments of DigitalCertiAnalytics and with a brief observation of the results. The results underline the importance of accurate and transparent certificate management to ensure resilient and secure information systems, contributing significantly to the protection of digital infrastructures.