{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T17:35:42Z","timestamp":1770226542997,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":69,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,12]],"date-time":"2021-11-12T00:00:00Z","timestamp":1636675200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3484768","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:34Z","timestamp":1636805134000},"page":"1373-1387","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["Rusted Anchors: A National Client-Side View of Hidden Root CAs in the Web PKI Ecosystem"],"prefix":"10.1145","author":[{"given":"Yiming","family":"Zhang","sequence":"first","affiliation":[{"name":"Tsinghua University & Beijing National Research Center for Information Science and Technology, Beijing, China"}]},{"given":"Baojun","family":"Liu","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China"}]},{"given":"Chaoyi","family":"Lu","sequence":"additional","affiliation":[{"name":"Tsinghua University & 360Netlab, Beijing, China"}]},{"given":"Zhou","family":"Li","sequence":"additional","affiliation":[{"name":"University of California, Irvine, Irvine, CA, USA"}]},{"given":"Haixin","family":"Duan","sequence":"additional","affiliation":[{"name":"Tsinghua University & QI-ANXIN Technology Research Institute, Beijing, China"}]},{"given":"Jiachen","family":"Li","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China"}]},{"given":"Zaifeng","family":"Zhang","sequence":"additional","affiliation":[{"name":"360Netlab, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2014. Revoke China Certs. https:\/\/github.com\/masquey\/RevokeChinaCerts."},{"key":"e_1_3_2_1_2_1","unstructured":"2019. List of Participants - Microsoft Trusted Root Program. https:\/\/docs.microsoft.com\/en-us\/security\/trusted-root\/participants-list."},{"key":"e_1_3_2_1_3_1","unstructured":"2021. Release notes - Microsoft Trusted Root Certificate Program. https:\/\/docs.microsoft.com\/en-us\/security\/trusted-root\/release-notes."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134007"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/2488388.2488395"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2523649.2523665"},{"key":"e_1_3_2_1_7_1","unstructured":"Bernhard Amann Matthias Vallentin Seth Hall and Robin Sommer. 2012. Extracting certificates from live traffic: A near real-time SSL notary service. Technical Report. Citeseer."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"crossref","unstructured":"Elaine B Barker and Quynh H Dang. 2015. Recommendation for Key Management Part 3: Application-Specific Key Management Guidance. (2015).","DOI":"10.6028\/NIST.SP.800-57pt1r4"},{"key":"e_1_3_2_1_9_1","unstructured":"Doug Beattie. 2018. What Are Subordinate CAs and Why Would You Want Your Own? https:\/\/www.globalsign.com\/en\/blog\/what-is-an-intermediate-or-subordinate-certificate-authority."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978301"},{"key":"e_1_3_2_1_11_1","unstructured":"Certum. [n. d.]. Root certificates. https:\/\/www.certum.eu\/en\/cert_expertise_root_certificates\/."},{"key":"e_1_3_2_1_12_1","unstructured":"Chromium. [n. d.]. Certificate Transparency. https:\/\/chromium.googlesource.com\/chromium\/src\/+\/master\/net\/docs\/certificate-transparency.md#Certificate-Transparency-For-Enterprises."},{"key":"e_1_3_2_1_13_1","unstructured":"Chromium. [n. d.]. The Chromium Projects. https:\/\/www.chromium.org\/."},{"key":"e_1_3_2_1_14_1","unstructured":"Chromium. 2020. The Chromium root program. https:\/\/www.chromium.org\/Home\/chromium-security\/root-ca-policy."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987455"},{"key":"e_1_3_2_1_16_1","unstructured":"Catalin Cimpanu. 2020. Chrome will soon have its own dedicated certificate root store. https:\/\/www.zdnet.com\/article\/chrome-will-soon-have-its-own-dedicated-certif icate-root-store\/."},{"key":"e_1_3_2_1_17_1","volume-title":"Weekly Threat Intelligence Report -","year":"2018","unstructured":"Cisco. 2018. Weekly Threat Intelligence Report - 2018.04.13. https:\/\/www.cisco.com\/c\/dam\/global\/zh_cn\/products\/security\/talos\/Threat_Roundup-for-April.pdf."},{"key":"e_1_3_2_1_18_1","unstructured":"Alibaba Cloud. [n. d.]. Alibaba Cloud. https:\/\/www.alibabacloud.com\/."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC5280"},{"key":"e_1_3_2_1_20_1","unstructured":"Mikhail Davidov and Darren Kemp. 2015. DUDE YOU GOT DELL'D: PUBLISHING YOUR PRIVATES. https:\/\/duo.com\/decipher\/dude-you-got-dell-d-publishing-your-privates."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23374"},{"key":"e_1_3_2_1_22_1","volume-title":"A survey and analysis of TLS interception mechanisms and motivations. arXiv preprint arXiv:2010.16388","author":"Carn\u00e9 de Carnavalet Xavier","year":"2020","unstructured":"Xavier de Carn\u00e9 de Carnavalet and Paul C van Oorschot. 2020. A survey and analysis of TLS interception mechanisms and motivations. arXiv preprint arXiv:2010.16388 (2020)."},{"key":"e_1_3_2_1_23_1","volume-title":"Last-Mile TLS Interception: Analysis and Observation of the Non-Public HTTPS Ecosystem. Ph. D. Dissertation","author":"Carn\u00e9 de Carnavalet Xavier","unstructured":"Xavier de Carn\u00e9 de Carnavalet. 2019. Last-Mile TLS Interception: Analysis and Observation of the Non-Public HTTPS Ecosystem. Ph. D. Dissertation. Concordia University."},{"key":"e_1_3_2_1_24_1","unstructured":"Zheng Dong Kevin Kane Siyu Chen and L Jean Camp. 2016. The New Wildcats: High-Risk Banking From Worst-Case Certificate Practices Online. https:\/\/www.researchgate.net\/profile\/L-Camp\/publication\/317722542_The_New_Wildcats_High-Risk_Banking_From_Worst-Case_Certificate_Practices_Online\/links\/59ee56060f7e9b3695759f90\/The-New-Wildcats-High-Risk-Banking-From-Worst-Case-Certificate-Practices-Online.pdf ."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813703"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/2504730.2504755"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663755"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"crossref","unstructured":"Zakir Durumeric Zane Ma Drew Springall Richard Barnes Nick Sullivan Elie Bursztein Michael Bailey J Alex Halderman and Vern Paxson. 2017. The Security Impact of HTTPS Interception.. In NDSS.","DOI":"10.14722\/ndss.2017.23456"},{"key":"e_1_3_2_1_29_1","unstructured":"Let's Encrypt. 2021. Chain of Trust - Let's Encrypt. https:\/\/letsencrypt.org\/images\/isrg-hierarchy.png."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7469"},{"key":"e_1_3_2_1_31_1","volume-title":"26th USENIX Security Symposium (USENIX Security 17)","author":"Felt Adrienne Porter","year":"2017","unstructured":"Adrienne Porter Felt, Richard Barnes, April King, Chris Palmer, Chris Bentzel, and Parisa Tabriz. 2017. Measuring HTTPS adoption on the web. In 26th USENIX Security Symposium (USENIX Security 17). 1323--1338."},{"key":"e_1_3_2_1_32_1","unstructured":"Dennis Fisher. [n. d.]. Google Mozilla Drop Trust in Chinese Certificate Authority CNNIC. https:\/\/threatpost.com\/google-drops-trust-in-chinese-certif icate-authority-cnnic\/111974\/."},{"key":"e_1_3_2_1_33_1","unstructured":"CA\/Browser Forum. [n. d.]. Baseline Requirements Documents (SSL\/TLS Server Certificates). https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/."},{"key":"e_1_3_2_1_34_1","unstructured":"Aaron Gable. 2020. Let's Encrypt's New Root and Intermediate Certificates. https:\/\/letsencrypt.org\/2020\/09\/17\/new-root-and-intermediates.html."},{"key":"e_1_3_2_1_35_1","unstructured":"Google. [n. d.]. Certificate Transparency. https:\/\/certif icate.transparency.dev."},{"key":"e_1_3_2_1_36_1","volume-title":"A directed acyclic graph approach to online log parsing. arXiv preprint arXiv:1806.04356","author":"He Pinjia","year":"2018","unstructured":"Pinjia He, Jieming Zhu, Pengcheng Xu, Zibin Zheng, and Michael R Lyu. 2018. A directed acyclic graph approach to online log parsing. arXiv preprint arXiv:1806.04356 (2018)."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICWS.2017.13"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068856"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.13"},{"key":"e_1_3_2_1_40_1","unstructured":"Apple Inc. 2018. Lists of available trusted root certificates in macOS. https:\/\/support.apple.com\/en-us\/HT202858."},{"key":"e_1_3_2_1_41_1","unstructured":"Alexa Internet Inc. 2020. Alexa Top Sites. https:\/\/www.alexa.com\/topsites."},{"key":"e_1_3_2_1_42_1","unstructured":"Venustech Group Inc. 2020. VenusTech VPN. https:\/\/www.venustech.com.cn\/."},{"key":"e_1_3_2_1_43_1","volume-title":"Characterizing the Root Landscape of Certificate Transparency Logs. In 2020 IFIP Networking Conference (Networking). IEEE, 190--198","author":"Korzhitskii Nikita","year":"2020","unstructured":"Nikita Korzhitskii and Niklas Carlsson. 2020. Characterizing the Root Landscape of Certificate Transparency Logs. In 2020 IFIP Networking Conference (Networking). IEEE, 190--198."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00015"},{"key":"e_1_3_2_1_45_1","volume-title":"Financial Reports of 360 for","author":"Qihoo 360 Technology Co. Ltd. 2019.","year":"2019","unstructured":"Qihoo 360 Technology Co. Ltd. 2019. Financial Reports of 360 for 2019. https:\/\/news.qudong.com\/article\/590463.shtml."},{"key":"e_1_3_2_1_46_1","unstructured":"Qihoo 360 Technology Co. Ltd. 2020. 360 Secure Browser. https:\/\/browser.360.cn\/."},{"key":"e_1_3_2_1_47_1","unstructured":"Qihoo 360 Technology Co. Ltd. 2020. Root CA Program of 360 Browser. https:\/\/caprogram.360.cn\/#plan."},{"key":"e_1_3_2_1_48_1","volume-title":"Exploring CA Certificate Control. In 30th USENIX Security Symposium (USENIX Security 21)","author":"Ma Zane","year":"2021","unstructured":"Zane Ma, Joshua Mason, Manos Antonakakis, Zakir Durumeric, and Michael Bailey. 2021. What's in a Name? Exploring CA Certificate Control. In 30th USENIX Security Symposium (USENIX Security 21)."},{"key":"e_1_3_2_1_49_1","unstructured":"Zane Ma Joshua Mason Manos Antonakakis Zakir Durumeric Michael Bailey Sascha Fahl J\u00f6rg Schwenk Sebastian Schinzel Adam Doup\u00e9 Gail-Joon Ahn et al. 2020. CA Transparency. https:\/\/github.com\/zzma\/ca-transparency."},{"key":"e_1_3_2_1_50_1","volume-title":"International Workshop on Information Security Applications. Springer, 189--209","author":"Meyer Christopher","year":"2013","unstructured":"Christopher Meyer and J\u00f6rg Schwenk. 2013. SoK: Lessons learned from SSL\/TLS attacks. In International Workshop on Information Security Applications. Springer, 189--209."},{"key":"e_1_3_2_1_51_1","unstructured":"Microsoft. [n. d.]. CryptoAPI System Architecture. https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/seccrypto\/cryptoapi-system-architecture."},{"key":"e_1_3_2_1_52_1","unstructured":"Mozilla. [n. d.]. Common CA Database by mozilla. https:\/\/www.ccadb.org."},{"key":"e_1_3_2_1_53_1","unstructured":"Mozilla. 2021. Mozilla Root Store Policy. https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.23919\/TMA.2019.8784633"},{"key":"e_1_3_2_1_55_1","unstructured":"Yvette O'Meally. 2018. Recommendations for PKI Key Lengths and Validity Periods with Configuration Manager. https:\/\/techcommunity.microsof t.com\/t5\/configuration-manager-archive\/recommendations-for-pki-key-lengths-and-validity-periods-with\/ba-p\/272758."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987488"},{"key":"e_1_3_2_1_57_1","unstructured":"Mozilla Project. 2021. Mozilla Included CA Certificate List. https:\/\/wiki.mozilla.org\/CA\/Included_Certificates."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3419394.3423665"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3419394.3423645"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24084"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00027"},{"key":"e_1_3_2_1_62_1","unstructured":"GlobalSign Support. [n. d.]. GlobalSign Root Certificates. https:\/\/support.globalsign.com\/ca-certif icates\/root-certif icates\/globalsign-root-certificates."},{"key":"e_1_3_2_1_63_1","unstructured":"The Bugzilla Team. 2020. Bug List of CA Certificate Root Program. https:\/\/bugzilla.mozilla.org\/buglist.cgi?component=CA%20Certificate%20Root%20Program&product=NSS&bug_status=__open__."},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/2674005.2675015"},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987462"},{"key":"e_1_3_2_1_66_1","unstructured":"VeriSign. [n. d.]. VeriSign Root Certificates. https:\/\/www.websecurity.digicert.com\/content\/dam\/websitesecurity\/digitalassets\/desktop\/pdf s\/repository\/root-certificates.pdf."},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196528"},{"key":"e_1_3_2_1_68_1","unstructured":"Sebastian Wiesinger. 2012. Remove Trustwave Certificate(s) from trusted root certificates. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=724929."},{"key":"e_1_3_2_1_69_1","unstructured":"Kathleen Wilson. 2009. IPS Action items re IPS SERVIDORES root certificate. https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=523652."}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea","acronym":"CCS '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484768","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484768","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:51:28Z","timestamp":1763499088000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484768"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":69,"alternative-id":["10.1145\/3460120.3484768","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3484768","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}