{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,17]],"date-time":"2026-04-17T04:11:23Z","timestamp":1776399083760,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":50,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,11,4]],"date-time":"2024-11-04T00:00:00Z","timestamp":1730678400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100006374","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["CNS-2154962,CNS-2319421"],"award-info":[{"award-number":["CNS-2154962,CNS-2319421"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,11,4]]},"DOI":"10.1145\/3646547.3688415","type":"proceedings-article","created":{"date-parts":[[2024,11,1]],"date-time":"2024-11-01T09:40:26Z","timestamp":1730454026000},"page":"214-229","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Mutual TLS in Practice: A Deep Dive into Certificate Configurations and Privacy Issues"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7846-2649","authenticated-orcid":false,"given":"Hongying","family":"Dong","sequence":"first","affiliation":[{"name":"University of Virginia, Charlottesville, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-3938-8838","authenticated-orcid":false,"given":"Yizhe","family":"Zhang","sequence":"additional","affiliation":[{"name":"University of Virginia, Charlottesville, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0361-6532","authenticated-orcid":false,"given":"Hyeonmin","family":"Lee","sequence":"additional","affiliation":[{"name":"University of Virginia, Charlottesville, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-7373-3458","authenticated-orcid":false,"given":"Kevin","family":"Du","sequence":"additional","affiliation":[{"name":"University of Virginia, Charlottesville, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-3254-838X","authenticated-orcid":false,"given":"Guancheng","family":"Tu","sequence":"additional","affiliation":[{"name":"University of Virginia, Charlottesville, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6650-4373","authenticated-orcid":false,"given":"Yixin","family":"Sun","sequence":"additional","affiliation":[{"name":"University of Virginia, Charlottesville, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,11,4]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363192"},{"key":"e_1_3_2_1_2_1","volume-title":"Available trusted root certificates for Apple operating systems. https:\/\/support.apple.com\/en-us\/103272 (accessed","year":"2024","unstructured":"Apple. 2024. Available trusted root certificates for Apple operating systems. https:\/\/support.apple.com\/en-us\/103272 (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_3_1","volume-title":"17M Company Dataset - BigPicture 2023 Q4 Free Company Dataset. https:\/\/www.kaggle.com\/datasets\/mfrye0\/bigpicture-company-dataset (accessed","year":"2024","unstructured":"BigPicture. 2023. 17M Company Dataset - BigPicture 2023 Q4 Free Company Dataset. https:\/\/www.kaggle.com\/datasets\/mfrye0\/bigpicture-company-dataset (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","unstructured":"Sharon Boeyen Stefan Santesson Tim Polk Russ Housley Stephen Farrell and David Cooper. 2008. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280. https:\/\/doi.org\/10.17487\/RFC5280","DOI":"10.17487\/RFC5280"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.15"},{"key":"e_1_3_2_1_6_1","unstructured":"CA\/Browser Forum. 2024. Baseline Requirements for the Issuance and Management of Publicly?Trusted TLS Server Certificates Version 2.0.4. https:\/\/cabforum.org\/working-groups\/server\/baseline-requirements\/documents\/TLSBRv2.0.4.pdf (accessed Aug 26 2024)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978301"},{"key":"e_1_3_2_1_8_1","volume-title":"Feature: Support for commonName matching in Certificates (Removed). https:\/\/chromestatus.com\/feature\/4981025180483584 (accessed","author":"Status Chrome Platform","year":"2022","unstructured":"Chrome Platform Status. 2022. Feature: Support for commonName matching in Certificates (Removed). https:\/\/chromestatus.com\/feature\/4981025180483584 (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987454"},{"key":"e_1_3_2_1_10_1","volume-title":"What is mutual TLS (mTLS). https:\/\/www.cloudflare.com\/learning\/access-management\/what-is-mutual-tls\/ (accessed","year":"2024","unstructured":"CloudFlare. 2024. What is mutual TLS (mTLS). https:\/\/www.cloudflare.com\/learning\/access-management\/what-is-mutual-tls\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_11_1","volume-title":"Certificate Transparency Logs. https:\/\/crt.sh\/ (accessed","year":"2024","unstructured":"crt.sh. 2015. Certificate Transparency Logs. https:\/\/crt.sh\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2504730.2504755"},{"key":"e_1_3_2_1_13_1","volume-title":"Recommendation for Key Management - Part 3: Application-Specific Key Management Guidance. https:\/\/nvlpubs.nist.gov\/nistpubs\/specialpublications\/nist.sp.800--57pt3r1.pdf (accessed","author":"Barker Elaine","year":"2024","unstructured":"Elaine Barker, Quynh Dang. 2015. Recommendation for Key Management - Part 3: Application-Specific Key Management Guidance. https:\/\/nvlpubs.nist.gov\/nistpubs\/specialpublications\/nist.sp.800--57pt3r1.pdf (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_14_1","volume-title":"Exploring the Evolution of TLS Certificates. In International Conference on Passive and Active Network Measurement. Springer, 71--84","author":"Farhan Syed Muhammad","year":"2023","unstructured":"Syed Muhammad Farhan and Taejoong Chung. 2023. Exploring the Evolution of TLS Certificates. In International Conference on Passive and Active Network Measurement. Springer, 71--84."},{"key":"e_1_3_2_1_15_1","volume-title":"https:\/\/www.filewave.com\/ (accessed","year":"2024","unstructured":"FileWave. 2024. FileWave. https:\/\/www.filewave.com\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1515\/popets-2018-0031"},{"key":"e_1_3_2_1_17_1","volume-title":"Internet Assigned Numbers Authority (IANA). https:\/\/www.iana.org\/ (accessed","author":"The Internet Corporation for Assigned Names and Numbers (ICANN). 2024.","year":"2024","unstructured":"The Internet Corporation for Assigned Names and Numbers (ICANN). 2024. Internet Assigned Numbers Authority (IANA). https:\/\/www.iana.org\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_18_1","volume-title":"ipaddress - IPv4\/IPv6 manipulation library. https:\/\/docs.python.org\/3\/library\/ipaddress.html (accessed","author":"Foundation Python Software","year":"2024","unstructured":"Python Software Foundation. 2024. ipaddress - IPv4\/IPv6 manipulation library. https:\/\/docs.python.org\/3\/library\/ipaddress.html (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_19_1","volume-title":"Common CA Database. https:\/\/www.ccadb.org\/ (accessed","author":"Foundation The Linux","year":"2024","unstructured":"The Linux Foundation. 2024. Common CA Database. https:\/\/www.ccadb.org\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382204"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/CCECE58730.2023.10288980"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453100"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","unstructured":"Dr. John C. Klensin. 2008. Simple Mail Transfer Protocol. RFC 5321. https:\/\/doi.org\/10.17487\/RFC5321","DOI":"10.17487\/RFC5321"},{"key":"e_1_3_2_1_24_1","volume-title":"tldextract. https:\/\/github.com\/john-kurkowski\/tldextract (accessed","author":"Kurkowski John","year":"2024","unstructured":"John Kurkowski. 2024. tldextract. https:\/\/github.com\/john-kurkowski\/tldextract (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_25_1","volume-title":"Client certificates aren't universally more secure. https:\/\/www.devever.net\/ hl\/clientcert, (accessed","author":"Landau Hugo","year":"2024","unstructured":"Hugo Landau. 2023. Client certificates aren't universally more secure. https:\/\/www.devever.net\/ hl\/clientcert, (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_26_1","volume-title":"Let's Encrypt: ACME Client Implementations. https:\/\/letsencrypt.org\/docs\/client-options\/ (accessed","author":"Encrypt Let's","year":"2024","unstructured":"Let's Encrypt. 2024. Let's Encrypt: ACME Client Implementations. https:\/\/letsencrypt.org\/docs\/client-options\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_27_1","volume-title":"Automatic mTLS. https:\/\/linkerd.io\/2.15\/features\/automatic-mtls\/, (accessed","year":"2024","unstructured":"Linkerd. 2024. Automatic mTLS. https:\/\/linkerd.io\/2.15\/features\/automatic-mtls\/, (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_28_1","volume-title":"Release notes - Microsoft Trusted Root Certificate Program. https:\/\/learn.microsoft.com\/en-us\/security\/trusted-root\/release-notes (accessed","year":"2024","unstructured":"Microsoft. 2024. Release notes - Microsoft Trusted Root Certificate Program. https:\/\/learn.microsoft.com\/en-us\/security\/trusted-root\/release-notes (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_29_1","volume-title":"Public Suffix List. https:\/\/publicsuffix.org\/ (accessed","author":"Foundation Mozilla","year":"2024","unstructured":"Mozilla Foundation. 2022. Public Suffix List. https:\/\/publicsuffix.org\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_30_1","volume-title":"Mozilla's CA Certificate Program. https:\/\/wiki.mozilla.org\/CA (accessed","author":"Wiki Mozilla","year":"2024","unstructured":"Mozilla Wiki. 2024. Mozilla's CA Certificate Program. https:\/\/wiki.mozilla.org\/CA (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_31_1","volume-title":"MQTT: The Standard for IoT Messaging. https:\/\/mqtt.org\/ (accessed","author":"MQTT.","year":"2022","unstructured":"MQTT. 2022. MQTT: The Standard for IoT Messaging. https:\/\/mqtt.org\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_32_1","volume-title":"https:\/\/www.globus.org\/ (accessed","author":"The University of Chicago. 2024. Globus Compute.","year":"2024","unstructured":"The University of Chicago. 2024. Globus Compute. https:\/\/www.globus.org\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_33_1","volume-title":"OpenSSL: Cryptography and SSL\/TLS Toolkit. https:\/\/www.openssl.org\/ (accessed","author":"SSL.","year":"2024","unstructured":"OpenSSL. 2024. OpenSSL: Cryptography and SSL\/TLS Toolkit. https:\/\/www.openssl.org\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_34_1","volume-title":"openssl\/crypto\/x509v3\/v3_san.c. https:\/\/github.com\/openssl\/openssl\/blob\/fa338aa7cd1e893679c3e1c47465dcb11f90abfb\/crypto\/x509\/v3_san.c, (accessed","author":"SSL.","year":"2024","unstructured":"OpenSSL. 2024. openssl\/crypto\/x509v3\/v3_san.c. https:\/\/github.com\/openssl\/openssl\/blob\/fa338aa7cd1e893679c3e1c47465dcb11f90abfb\/crypto\/x509\/v3_san.c, (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_35_1","volume-title":"openssl\/include\/openssl\/x509v3.h.in. https:\/\/github.com\/openssl\/openssl\/blob\/fa338aa7cd1e893679c3e1c47465dcb11f90abfb\/include\/openssl\/x509v3.h.in, (accessed","author":"SSL.","year":"2024","unstructured":"OpenSSL. 2024. openssl\/include\/openssl\/x509v3.h.in. https:\/\/github.com\/openssl\/openssl\/blob\/fa338aa7cd1e893679c3e1c47465dcb11f90abfb\/include\/openssl\/x509v3.h.in, (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_36_1","volume-title":"Practical issues with TLS client certificate authentication. Cryptology ePrint Archive","author":"Parsovs Arnis","year":"2013","unstructured":"Arnis Parsovs. 2013. Practical issues with TLS client certificate authentication. Cryptology ePrint Archive (2013)."},{"key":"e_1_3_2_1_37_1","volume-title":"7 Million Company Dataset - People Data Labs 2019 Global Company Dataset. https:\/\/www.kaggle.com\/datasets\/peopledatalabssf\/free-7-million-company-dataset (accessed","author":"Labs People Data","year":"2024","unstructured":"People Data Labs. 2019. 7 Million Company Dataset - People Data Labs 2019 Global Company Dataset. https:\/\/www.kaggle.com\/datasets\/peopledatalabssf\/free-7-million-company-dataset (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","unstructured":"Eric Rescorla. 2000. HTTP Over TLS. RFC 2818. https:\/\/doi.org\/10.17487\/RFC2818","DOI":"10.17487\/RFC2818"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","unstructured":"Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. https:\/\/doi.org\/10.17487\/RFC8446","DOI":"10.17487\/RFC8446"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","unstructured":"Peter Saint-Andre and Jeff Hodges. 2011. Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS). RFC 6125. https:\/\/doi.org\/10.17487\/RFC6125","DOI":"10.17487\/RFC6125"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","unstructured":"Jim Sermersheim. 2006. Lightweight Directory Access Protocol (LDAP): The Protocol. RFC 4511. https:\/\/doi.org\/10.17487\/RFC4511","DOI":"10.17487\/RFC4511"},{"key":"e_1_3_2_1_42_1","volume-title":"25th Annual Chaos Communication Congress.","author":"Sotirov Alexander","year":"2008","unstructured":"Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen K Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. 2008. MD5 considered harmful today, creating a rogue CA certificate. In 25th Annual Chaos Communication Congress."},{"key":"e_1_3_2_1_43_1","volume-title":"Trained Pipelines: English. https:\/\/spacy.io\/models\/en (accessed","year":"2024","unstructured":"spaCy. 2024. Trained Pipelines: English. https:\/\/spacy.io\/models\/en (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.23919\/TMA.2017.8002897"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICT52184.2021.9511513"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom53373.2021.00029"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3512576.3512644"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCBDA56900.2023.10154744"},{"key":"e_1_3_2_1_49_1","volume-title":"An Open Source Network Security Monitoring Tool. https:\/\/zeek.org\/ (accessed","year":"2024","unstructured":"Zeek. 2023. An Open Source Network Security Monitoring Tool. https:\/\/zeek.org\/ (accessed Aug 26, 2024)."},{"key":"e_1_3_2_1_50_1","volume-title":"Zeek Dynamic Protocol Detection. https:\/\/docs.zeek.org\/en\/master\/logs\/dpd.html (accessed","year":"2024","unstructured":"Zeek. 2023. Zeek Dynamic Protocol Detection. https:\/\/docs.zeek.org\/en\/master\/logs\/dpd.html (accessed Aug 26, 2024)."}],"event":{"name":"IMC '24: ACM Internet Measurement Conference","location":"Madrid Spain","acronym":"IMC '24","sponsor":["SIGMETRICS ACM Special Interest Group on Measurement and Evaluation","SIGCOMM ACM Special Interest Group on Data Communication"]},"container-title":["Proceedings of the 2024 ACM on Internet Measurement Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3646547.3688415","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3646547.3688415","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T11:52:00Z","timestamp":1755863520000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3646547.3688415"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,4]]},"references-count":50,"alternative-id":["10.1145\/3646547.3688415","10.1145\/3646547"],"URL":"https:\/\/doi.org\/10.1145\/3646547.3688415","relation":{},"subject":[],"published":{"date-parts":[[2024,11,4]]},"assertion":[{"value":"2024-11-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}