2025: Crisis Management Days Conference Proceedings
Security and protection (national security, corporate and information security, disaster risk reduction)

Automated Analysis of SSL/Tls Certificates and Network Communication Security in Compliance With the Cybersecurity Act

PDF
  • Antun Matija Filipović,
  • Vladimir Bralić,
  • Silvija Tripalo
Antun Matija Filipović
Hrvatska akademska i istraživačka mreža - CARNET
Vladimir Bralić
University of Applied Sciences Velika Gorica
Silvija Tripalo
Central European Academy – CEA

Published 2025-12-04

Keywords

  • SSL/TLS certificates,
  • network security,
  • automation,
  • Cybersecurity Act,
  • compliance

How to Cite

Filipović, A. M., Bralić, V., & Tripalo, S. (2025). Automated Analysis of SSL/Tls Certificates and Network Communication Security in Compliance With the Cybersecurity Act. Crisis Management Days. Retrieved from https://ocs.vvg.hr/index.php/DKU/article/view/760

Copyright (c) 2025 Antun Matija Filipović, Vladimir Bralić, Silvija Tripalo

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Abstract

Network communication security is a fundamental aspect of protecting information and communication systems, with SSL/TLS certificates playing a crucial role in ensuring the confidentiality and integrity of data on the internet. However, inadequate implementation, the use of outdated protocols, and expired certificates pose significant security threats. This paper explores the possibilities of automated analysis of SSL/TLS certificates to detect security weaknesses, including the use of insecure encryption algorithms, untrusted certificate authorities, and vulnerable protocols. From a technical perspective, the paper presents a Python-based tool that enables rapid and systematic identification of encryption-related issues. From a legal standpoint, the study examines the obligations of organizations under the Cybersecurity Act, the NIS2 Directive, and the GDPR, which require the implementation of technical and organizational measures to safeguard network and information systems. Special emphasis is placed on the legal consequences of insecure encryption, including regulatory sanctions and organizational liability in cases of security breaches. The goal of this paper is to investigate how automated SSL/TLS certificate analysis can assist organizations in meeting legal requirements and improving network communication security.

PDF

References

  1. Brubaker, C., Jana, S., Ray, B., Khurshid, S., & Shmatikov, V. (2014, May). Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations. In 2014 IEEE Symposium on Security and Privacy (pp. 114-129). IEEE. Retrieved November 11, 2025, from https://pmc.ncbi.nlm.nih.gov/articles/PMC4232952/pdf/nihms612855.pdf
  2. Chen, Y., & Su, Z. (2015, August). Guided differential testing of certificate validation in SSL/TLS implementations. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (pp. 793-804). Retrieved November 11, 2025, from https://cs.unibg.it/esecfse_proceedings/fse15/p793-chen.pdf
  3. Durumeric, Z., Kasten, J., Bailey, M., & Halderman, J. A. (2013). Analysis of the HTTPS certificate ecosystem. In Proceedings of the 2013 Internet Measurement Conference (pp. 291–304). Barcelona: ACM.
  4. European Commission. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Official Journal of the European Union, L119, 1–88. Retrieved July 20, 2025, from https://eur-lex.europa.eu/eli/reg/2016/679/oj
  5. European Commission. (2019). Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA and on information and communications technology cybersecurity certification (Cybersecurity Act). Official Journal of the European Union, L151, 15–69. Retrieved July 20, 2025, from https://eur-lex.europa.eu/eli/reg/2019/881/oj
  6. European Commission. (2022). Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). Official Journal of the European Union, L333, 80–152. Retrieved July 20, 2025, from https://eur-lex.europa.eu/eli/dir/2022/2555/oj
  7. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., & Smith, M. (2012). Why Eve and Mallory love Android: An analysis of Android SSL insecurity. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (pp. 50–61). Raleigh: ACM.
  8. Holz, R., Amann, J., Mehani, O., Wachs, M., & Kaafar, M. A. (2016). TLS in the wild: An Internet-wide analysis of TLS-based protocols for electronic communication. In Network and Distributed System Security Symposium (NDSS). San Diego: Internet Society. Retrieved July 20, 2025, from https://www.ndss-symposium.org/wp-content/uploads/2017/09/tls-wild-internet-wide-analysis-tls-based-protocols-electronic-communication.pdf
  9. Kim, H., Pei, Y., Qian, Z., & Kim, G. (2015). Certificate verification in practice: Exploring the TLS ecosystem in the wild. In Proceedings of the 2015 Internet Measurement Conference (pp. 307–320). Tokyo: ACM.
  10. Krombholz, K., Szydlowski, M., Horsch, M., & Weippl, E. (2017). System administrators: Heroes of the Internet? Experiences and challenges in system administration. In Proceedings on Privacy Enhancing Technologies, 2017(4), 347–363.
  11. Lee, Y., Kwon, B., Kim, M., Kim, T., & Kim, Y. (2020). Understanding root causes of TLS security failures in the wild. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS) (pp. 1967–1981). Virtual Event: ACM.
  12. Liu, A., Alqazzaz, A., Ming, H., & Dharmalingam, B. (2019). Iotverif: Automatic verification of SSL/TLS certificate for IoT applications. IEEE Access, 9, 27038-27050. Retrieved November 11, 2025, from https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8941131
  13. Scheitle, Q., Amann, J., Brent, L., Gasser, O., Holz, R., & Carle, G. (2018). A long way to the top: Significance, structure, and stability of internet paths. IEEE Transactions on Network and Service Management, 15(1), 26–39.
  14. Voigt, P., & Von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A practical guide. Cham: Springer International Publishing.
  15. Wang, Y., Liu, X., Mao, W., & Wang, W. (2019, May). Dcdroid: Automated detection of ssl/tls certificate verification vulnerabilities in android apps. In Proceedings of the ACM Turing Celebration Conference-China (pp. 1-9). Retrieved November 11, 2025, from https://repository.kaust.edu.sa/server/api/core/bitstreams/b03937f7-aca9-4b9c-b9a8-6caafeebbbdd/content