{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,1]],"date-time":"2025-10-01T15:23:50Z","timestamp":1759332230157,"version":"3.41.0"},"reference-count":22,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2018,2,21]],"date-time":"2018-02-21T00:00:00Z","timestamp":1519171200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF","doi-asserted-by":"publisher","award":["CNS-1054233, CNS- 1319019, CNS-1150177"],"award-info":[{"award-number":["CNS-1054233, CNS- 1319019, CNS-1150177"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Commun. ACM"],"published-print":{"date-parts":[[2018,2,21]]},"abstract":"<jats:p>A properly managed public key infrastructure (PKI) is critical to ensure secure communication on the Internet. Surprisingly, some of the most important administrative steps---in particular, reissuing new X.509 certificates and revoking old ones---are manual and remained unstudied, largely because it is difficult to measure these manual processes at scale.<\/jats:p>\n          <jats:p>We use Heartbleed, a widespread OpenSSL vulnerability from 2014, as a natural experiment to determine whether administrators are properly managing their certificates. All domains affected by Heartbleed should have patched their software, revoked their old (possibly compromised) certificates, and reissued new ones, all as quickly as possible. We find the reality to be far from the ideal: over 73% of vulnerable certificates were not reissued and over 87% were not revoked three weeks after Heartbleed was disclosed. Our results also show a drastic decline in revocations on the weekends, even immediately following the Heartbleed announcement. These results are an important step in understanding the manual processes on which users rely for secure, authenticated communication.<\/jats:p>","DOI":"10.1145\/3176244","type":"journal-article","created":{"date-parts":[[2018,2,21]],"date-time":"2018-02-21T16:11:27Z","timestamp":1519229487000},"page":"109-116","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":11,"title":["Analysis of SSL certificate reissues and revocations in the wake of heartbleed"],"prefix":"10.1145","volume":"61","author":[{"given":"Liang","family":"Zhang","sequence":"first","affiliation":[{"name":"Northeastern University, Boston, MA"}]},{"given":"David","family":"Choffnes","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA"}]},{"given":"Tudor","family":"Dumitra\u015f","sequence":"additional","affiliation":[{"name":"University of Maryland, College Park, MD"}]},{"given":"Dave","family":"Levin","sequence":"additional","affiliation":[{"name":"University of Maryland, College Park, MD"}]},{"given":"Alan","family":"Mislove","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA"}]},{"given":"Aaron","family":"Schulman","sequence":"additional","affiliation":[{"name":"Stanford University, Stanford, CA"}]},{"given":"Christo","family":"Wilson","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA"}]}],"member":"320","published-online":{"date-parts":[[2018,2,21]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Alexa Top 1 Million Domains. http:\/\/s3.amazonaws.com\/alexa-static\/top-1m.csv.zip.  Alexa Top 1 Million Domains. http:\/\/s3.amazonaws.com\/alexa-static\/top-1m.csv.zip."},{"key":"e_1_2_1_2_1","unstructured":"Botan SSL Library. http:\/\/botan.randombit.net.  Botan SSL Library. http:\/\/botan.randombit.net."},{"key":"e_1_2_1_3_1","unstructured":"CERT Vulnerability Note VU#720951: OpenSSL TLS heartbeat extension read overflow discloses sensitive information. http:\/\/www.kb.cert.org\/vuls\/id\/720951.  CERT Vulnerability Note VU#720951: OpenSSL TLS heartbeat extension read overflow discloses sensitive information. http:\/\/www.kb.cert.org\/vuls\/id\/720951."},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987454"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/2504730.2504755"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663755"},{"key":"e_1_2_1_7_1","volume-title":"Jan.","author":"Eastlake D III","year":"2011","unstructured":"Eastlake , D III . Transport Layer Security (TLS) Extensions: Extension Definitions , Jan. 2011 . IETF RFC- 6066. Eastlake, D III. Transport Layer Security (TLS) Extensions: Extension Definitions, Jan. 2011. IETF RFC-6066."},{"key":"e_1_2_1_8_1","volume-title":"Heartbleed disclosure timeline: who knew what and when","author":"Grubb B.","year":"2014","unstructured":"Grubb , B. Heartbleed disclosure timeline: who knew what and when , 2014 . http:\/\/www.smh.com.au\/it-pro\/security-it\/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html. Grubb, B. Heartbleed disclosure timeline: who knew what and when, 2014. http:\/\/www.smh.com.au\/it-pro\/security-it\/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068856"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.13"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2815675.2815685"},{"key":"e_1_2_1_12_1","unstructured":"Mac OS X 10.9.2 Root Certificates. http:\/\/support.apple.com\/kb\/HT6005.  Mac OS X 10.9.2 Root Certificates. http:\/\/support.apple.com\/kb\/HT6005."},{"key":"e_1_2_1_13_1","volume-title":"Half a million widely trusted websites vulnerable to heartbleed bug","author":"Mutton P.","year":"2014","unstructured":"Mutton , P. Half a million widely trusted websites vulnerable to heartbleed bug , 2014 . http:\/\/news.netcraft.com\/archives\/2014\/04\/08\/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html. Mutton, P. Half a million widely trusted websites vulnerable to heartbleed bug, 2014. http:\/\/news.netcraft.com\/archives\/2014\/04\/08\/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.48"},{"key":"e_1_2_1_15_1","unstructured":"OpenSSL Project. https:\/\/www.openssl.org.  OpenSSL Project. https:\/\/www.openssl.org."},{"key":"e_1_2_1_16_1","unstructured":"Rapid7 SSL Certificate Scans. https:\/\/scans.io\/study\/sonar.ssl.  Rapid7 SSL Certificate Scans. https:\/\/scans.io\/study\/sonar.ssl."},{"key":"e_1_2_1_17_1","volume-title":"Feb.","author":"Seggelmann R.","year":"2012","unstructured":"Seggelmann , R. , Tuexen , M. , Williams , M. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension , Feb. 2012 . IETF RFC- 6520. Seggelmann, R., Tuexen, M., Williams, M. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension, Feb. 2012. IETF RFC-6520."},{"key":"e_1_2_1_18_1","volume-title":"The Heartbleed Aftermath: all CloudFlare certificates revoked and reissued","author":"Sullivan N.","year":"2014","unstructured":"Sullivan , N. The Heartbleed Aftermath: all CloudFlare certificates revoked and reissued , 2014 . http:\/\/blog.cloudflare.com\/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued. Sullivan, N. The Heartbleed Aftermath: all CloudFlare certificates revoked and reissued, 2014. http:\/\/blog.cloudflare.com\/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued."},{"key":"e_1_2_1_19_1","volume-title":"The Results of the CloudFlare Challenge","author":"Sullivan N.","year":"2014","unstructured":"Sullivan , N. The Results of the CloudFlare Challenge , 2014 . http:\/\/blog.cloudflare.com\/the-results-of-the-cloudflare-challenge. Sullivan, N. The Results of the CloudFlare Challenge, 2014. http:\/\/blog.cloudflare.com\/the-results-of-the-cloudflare-challenge."},{"key":"e_1_2_1_20_1","unstructured":"The GnuTLS Transport Layer Security Library. http:\/\/www.gnutls.org.  The GnuTLS Transport Layer Security Library. http:\/\/www.gnutls.org."},{"key":"e_1_2_1_21_1","volume-title":"Web 2.0 Security & Privacy (W2SP)","author":"Topalovic E.","year":"2012","unstructured":"Topalovic , E. , Saeta , B. , Huang , L.-S. , Jackson , C. , Boneh , D. Toward shortlived certificates . In Web 2.0 Security & Privacy (W2SP) ( 2012 ). Topalovic, E., Saeta, B., Huang, L.-S., Jackson, C., Boneh, D. Toward shortlived certificates. In Web 2.0 Security & Privacy (W2SP) (2012)."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1644893.1644896"}],"container-title":["Communications of the ACM"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3176244","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3176244","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3176244","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T19:04:50Z","timestamp":1750273490000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3176244"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,2,21]]},"references-count":22,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2018,2,21]]}},"alternative-id":["10.1145\/3176244"],"URL":"https:\/\/doi.org\/10.1145\/3176244","relation":{},"ISSN":["0001-0782","1557-7317"],"issn-type":[{"type":"print","value":"0001-0782"},{"type":"electronic","value":"1557-7317"}],"subject":[],"published":{"date-parts":[[2018,2,21]]},"assertion":[{"value":"2018-02-21","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}