Global SSL/TLS PKI Security Visibility & Analysis PKI Watch

A multi-perspective platform for global SSL/TLS PKI monitoring, security assessment, and vulnerability discovery.

View Source CodeView Demo

About PKI Watch

PKI Watch is a security monitoring and analysis platform for the global SSL/TLS Public Key Infrastructure (PKI). It is designed to uncover hidden security risks within the PKI ecosystem, including certificate content flaws, website certificate deployment issues, misbehavior in certificate authorities (CAs), and client-side validation vulnerabilities.

The platform addresses the growing need for comprehensive PKI security research. While several international organizations have invested in the construction of large-scale PKI probing and monitoring systems in recent years, there remains a gap in the domestic landscape for impactful platforms with similar capabilities. PKI Watch aims to fill this gap by offering in-depth and wide-ranging measurements.

This platform is developed by Tianyu Zhang and Han Zhang from Tsinghua University.

PKI Watch Key Statistics

TLS Certificate Content Error Rate

TLS Deployment Rate of Active IPv4 Sites

TLS deployment Error Rate

Fraudulent Certificate Rate

Android App Certificate Validation Error Rate

Number of SSL/TLS Certificates Covered

Number of CAs Covered

Number of Android Apps Covered

Server-Side Analysis

Continuously monitor TLS and certificate deployments across websites. Analyze deployment security attributes to detect TLS misconfigurations and certificate-related vulnerabilities.

CA-Side Analysis

Analyze CA cross-signing relationships and market distribution patterns. By clustering certificate ASN.1 fingerprints, we detect anomalies and identify potentially forged certificates.

Client-Side Analysis

Analyze certificate validation mechanisms in mobile apps through static and dynamic analysis. Trace validation logic, locate potential flaws, and detect usage of advanced mechanisms such as SSL pinning or Certificate Transparency.

PKI Watch Services

Certificate Parsing

Extracts and visualizes all standard and non-standard X.509 fields from TLS certificates, presenting a clear hierarchical structure for in-depth analysis

Certificate ASN.1 Fingerprint

Inspired by the work of Ma et al., we construct ASN.1-based fingerprints for TLS certificates and apply a grouping-based method to detect forged or anomalous certificates observed in the wild

Paper Link
Certificate Cyber Asset Graph

Reconstructs certificate chains and analyzes trust paths to reveal relationships between certificate authorities (CAs). Utilizes multi-dimensional data to build a cyber asset graph that reflects associations between network entities through certificate linkage

Rule-Based TLS Deployment Error Checking

Build a custom rule repository to identify certificate content issues and detect website TLS deployment misconfigurations

Android App Certificate Validation Vulnerability Checking

Leverage both static and dynamic analysis to detect vulnerabilities such as missing hostname verification, signature validation failures, and issues related to advanced techniques like SSL pinning and Certificate Transparency checks

© All Rights Reserved. DeepShield-AI PKI Watch