MARCH 2018 | VOL. 61 | NO. 3 | COMMUNICATIONS OF THE ACM 115
thorough response. Interestingly, while EV certificates were
revoked more quickly, their non-EV counterparts caught
up within 10 days; however, EV certificates were reissued
both more quickly and more thoroughly. We expect that
the underlying cause of this observation is a self-selection
effect, that is, security-conscious sites are more likely to
seek out EV certificates in the first place. Nonetheless, there
are still many vulnerable EV certificates that have not been
reissued three weeks after the event (67%) and that have not
been revoked three weeks after (87%).
5. CONCLUDING DISCUSSION
In this paper, we studied how SSL certificates are reissued
and revoked in response to a widespread vulnerability,
Heartbleed, that enabled undetectable key compromise. We
conducted large-scale measurements and developed new
methodologies to determine how the most popular one million domains reacted to this vulnerability in terms of certificate management, and how this impacts security for clients.
We found that the vast majority of vulnerable certificates
have not been reissued. Further, of those domains that reissued certificates in response to Heartbleed, 60% did not
revoke their vulnerable certificates—if they do not eventually become revoked, 20% of those certificates will remain
valid for two or more years. The ramifications of these findings are alarming: Web browsers will remain potentially
vulnerable to malicious third parties using stolen keys for
a long time to come. Additionally, we found that domains
with EV certificates performed only marginally better than
other domains with respect to reissuing and revocation.
Our results are, in some ways, in line with previous studies on the rates at which administrators patched vulnerable software22—for instance, revocation rates followed a
sharp exponential drop-off shortly after the vulnerability
was made public, and tapered off soon thereafter. However,
unlike software bugs, we find that the vast majority of certificates remain vulnerable to attacks, as they have still not
been reissued or revoked. These findings indicate that the
current practices of certificate management are misaligned
with what is necessary to secure the PKI.
5. 1. Surveying system administrators
To help better understand the reasons behind the lack of
prompt certificate reissues and revocations, we informally
surveyed a few systems administrators. We asked what steps
they had taken in response to Heartbleed: did they patch,
reissue, and revoke, and if not, then why not? We received
seven responses. Most reported manually patching their
systems, but some relied on managed servers or automatic
updates and therefore took no Heartbleed-specific steps.
There was some variance in when patches were applied,
due to a combination of scheduled reboots and delayed
responses from vendors, but the majority of patches were
For revoking and reissuing, however, we saw a wide spec-
trum of behavior. The few who reissued and revoked did
so within 48 hours. Many neither revoked nor reissued; a
common reason provided was that the vulnerable hosts
were not hosting sensitive data or services. Along similar
reissued but never revoked. Although we find that 60% of the
certificates expire within a year, there are vulnerable certifi-
cates that are valid for up to 5 years after Heartbleed was an-
nounced. In fact, 10% of the vulnerable certificates still had
over 3 years of validity remaining. We conclude from this
that, given the meager rates of revocation, it would be helpful
for CAs to shift to shorter expiry times in their certificates.
Reissues and revocation speed. Next, we examine how
quickly sites responded to Heartbleed. Figure8 shows the fraction
of vulnerable certificates that were not reissued or revoked over
the three weeks following the Heartbleed announcement.
In this figure, the initial y values do not all start at 1.0 for reissues: this is because, with the coarse granularity of our data, we
know the range of time during which some certificates were
reissued, but not the precise day. We therefore provide the
most optimistic possibility: if we know a certificate was reissued
between days d and d + k, we assume it was reissued on day d.
This figure presents a bleak view of how thoroughly
sites revoke and reissue their certificates (note that the
y-axis begins at 0.60). Three weeks after the revelation of
Heartbleed, over 87% of all certificates we found to be vulnerable were not revoked, and over 73% of them were not
reissued. We also found that the revocation rate follows a
pattern previously observed in earlier studies on the spread
of patches14, 22: there is an exponential drop-off, followed by
a gradual decline. This behavior is even more pronounced
when looking farther beyond the Heartbleed announcement: 16 weeks after the announcement, there were still
86% who had not revoked and 70% who had not reissued.
Extended validation certificates. Recall that one of the major roles of a CA is to validate the identity of the subjects who
purchase certificates. Extended Validation (EV) certificates
are a means by which CAs can express that this identity-verification process has followed (presumably) more stringent criteria. Many browsers present EV certificates differently
in the address bar.
EV certificates are standard X.509 certificates that are not,
in and of themselves, more secure, but the rationale is that
with a more thorough verification process by the CAs, these
certificates deserve greater trust. That said, there remains
concern as to whether this trust is well-placed. We close by
investigating the rate at which vulnerable EV certificates were
revoked and reissued as compared all certificates overall.
Overall, Figure 8 shows EV certificates follow similar
trends to the entire corpus, with a slightly faster and more
Figure 8. Many vulnerable certificates were not revoked and reissued
after Heartbleed (note that the y-axis does not begin at zero).
04/07 04/11 04/15 04/19 04/23 04/27
Not revoked (All)
Not revoked (EV)
Not reissued (All)
Not reissued (EV)