Longitudinal Analysis of Wildcard Certificates in the WebPKI.

The use of wildcard certificates and multi-domain certificates can impact how sensitive a certificate is to attacks and how many (sub)domains and machines may be impacted if a private key is compromised. Unfortunately, there are no globally agreed-upon best practices for these certificate types and the recommendations have changed many times over the years. In this paper, we present a 10-year longitudinal analysis of the usage of wildcard certificates and multi-domain certificates on the internet. Our analysis captures and highlights substantial differences in the heterogenous wildcard and multi-domain certificate practices. The results also show that there are several ways that CAs and domain owners have chosen to improve their practices, with many appearing to reduce the number of domains (and subdomains) for which each certificate is responsible.