The web trusts a handful of CAs. How well are they tested?

🌿 growing · planted

Every padlock in your browser traces back to a certificate, and those certificates come from a surprisingly small set of certificate authorities. A CA that mis-issues a certificate, botches a revocation, or mishandles a validation quietly weakens the trust the whole web is built on. So it’s worth asking a plain question: how well are these systems actually tested?

Not very, it turns out. A CA is a stateful protocol engine. ACME defines long workflows for issuing, validating, and revoking certificates, along with all the ways each can fail. Developer-written test suites tend to walk the happy paths and miss the messy state in between.

CAFuzz goes after that gap two ways. First, an empirical study measuring how much of the ACME protocol and the CA’s own code its existing tests actually reach. Second, a spec-guided, black-box tester that models the RFC workflows directly and drives a CA through them systematically, error and edge cases included. We ran it against four real CAs (Let’s Encrypt’s Boulder, HashiCorp Vault, Smallstep, and XiPki) and it surfaced compliance and security problems their own test suites missed. Paper · Code