Abstract
HTTPS is the de facto standard for securing Internet communications. Although it is widely deployed, the security provided with HTTPS in practice is dubious. HTTPS may fail to provide security for multiple reasons, mostly due to certificate-based authentication failures. Given the importance of HTTPS, we investigate the current scale and practices of HTTPS and certificate-based deployment. We provide a large-scale empirical analysis that considers the top one million most popular websites. Our results show that very few websites implement certificate-based authentication properly. In most cases, domain mismatches between certificates and websites are observed. We study the economic, legal and social aspects of the problem. We identify causes and implications of the profit-oriented attitude of CAs and show how the current economic model leads to the distribution of cheap certificates for cheap security. Finally, we suggest possible changes to improve certificate-based authentication.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The legitimate domain is bankofamerica.com.
- 2.
E-banking URL of ubs.com: https://ebanking1.ubs.com/en/OGJNCMHIFJJEIBAKJBDHLMBJFELALLHGKIJDACFGIEDK HLBJCBPLHMOOKDAHFFKONKKKAMPMNAEDFPCIOENKBGNEGNBDKJNN6Aes21WHTRFkGdlzvKKjjyZeB+GNeAGf-jzjgiO2LFw
- 3.
To illustrate how Alexa sorts websites into categories, we provide the list of top five websites per category in Appendix.
- 4.
A wildcard “*” stands for at most one level of subdomain, i.e. *.domain.tld matches subdomain.domain.tld but not subsubdomain.subdomain.domain.tld.
- 5.
Expiration periods are computed with respect to February 2010.
- 6.
Even though some CAs (e.g., Equifax and Thawte) were acquired by VeriSign, we refer to them as separate CAs as they offer different products and services and have different policies.
References
VeriSign Inc. URL http://www.verisign.com/ssl/buy-ssl-certificates/secure-site-services/index.html
The SSL Protocol, Version 3.0 (1996) URL http://tools.ietf.org/html/draft-ietf-tls-ssl-version3-00
Internet X.509 Public Key Infrastructure Certificate and CRL Profile (1999) URL http://www.ietf.org/rfc/rfc2459.txt
The TLS Protocol, Version 1.0 (1999) URL http://tools.ietf.org/html/rfc2246
HTTP Over TLS (2000) URL http://tools.ietf.org/html/rfc2818
Cardholders targetted by Phishing attack using visa-secure.com (2004) URL http://news.netcraft.com/archives/2004/10/08/cardholders_targetted_by_phishing_attack_using_visasecurecom.html
Transport Layer Security (TLS) Extensions (2006) URL http://tools.ietf.org/html/rfc4366
Has Firefox 3 certificate handling become too scary? (2008) URL http://www.betanews.com/article/Has-Firefox-3-certificate-handling-become-too-scary/1219180509
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (2008) URL http://tools.ietf.org/html/rfc5280
Tim Callan’s SSL Blog, MD5 attack resolved (2008) URL https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php
EV and SSL Certificate Trends For The Top 100 Retailers (2010) URL http://www.lexiconn.com/blog/2010/09/ev-ssl-top-100-retailers/
Guidelines For The Issuance And Management Of Extended Validation Certificates (2010) URL http://www.cabforum.org/Guidelines_v1_3.pdf
Alexa the Web Information Company (2011) URL http://www.alexa.com/
Home of the Mozilla Project (2011) URL http://www.mozilla.org/
Improving SSL certificate security (2011) URL http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html
OpenSSL: Documents, verify(1) (2011) URL http://www.openssl.org/docs/apps/verify.html
OpenSSL: The Open Source toolkit for SSL/TLS (2011) URL http://www.openssl.org/
SQLite Home Page (2011) URL http://www.sqlite.org/
SSL Certificate for Mozilla.com Issued Without Validation (2011) URL http://www.sslshopper.com/article-ssl-certificate-for-mozilla.com-issued-without-validation.html
The EFF SSL Observatory — Electronic Frontier Foundation (2011) URL http://www.eff.org/observatory
Trusted Certificates vs. Browser Recognized Certificates (2011) URL http://www.instantssl.com/ssl-certificate-support/guides/ssl-certificate-validation.html
What are the types of SSL Certificates? (2011) URL http://www.globalsign.com/ssl-information-center/what-are-the-types-of-ssl-certificate.html
Ahmad D (2008) Two years of broken crypto: Debian’s dress rehearsal for a global PKI compromise. IEEE Security and Privacy 6:70–73
Anderson R, Moore T (2007) Information security economics—and beyond. CRYPTO, pp 68–91
Biddle R, Oorschot PCV, Sobey J, Whalen T, Patrick AS (2009) Browser interfaces and extended validation SSL certificates: an empirical study. In: CCSW’09: Proceedings of the 2009 ACM workshop on cloud computing security
Dhamija R, Tygar JD, Hearst MA (2006) Why phishing works. In: Computer human interaction, pp 581–590
Downs JS, Holbrook MB, Cranor LF (2006) Decision strategies and susceptibility to phishing. In: Symposium on usable privacy and security, pp 79–90
Ghose A, Rajan U (2006) The economic impact of regulatory information disclosure on information security investments, competition, and social welfare. In: WEIS
Good N, Dhamija R, Grossklags J, Thaw D, Aronowitz S, Mulligan DK, Konstan JA (2005) Stopping spyware at the gate: a user study of privacy, notice and spyware. In: Symposium on usable privacy and security, pp 43–52
Herzberg A, Jbara A (2008) Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans Internet Technol 8:16:1–16:36
Jackson C, Barth A (2008) Forcehttps: protecting high-security web sites from network attacks. In: WWW
Jakobsson M, Myers S (2006) Phishing and countermeasures: understanding the increasing problem of electronic identity theft. Wiley, New York
Landwehr C (2004) Improving information flow in the information security market. Economics of Information Security, pp 155–163
Lenstra AK (2004) Key length
Moore T, Edelman B (2010) Measuring the perpetrators and funders of typosquatting. Lecture notes in computer science. Springer, Berlin/Heidelberg
Schechter SE, Dhamija R, Ozment A, Fischer I (2007) The emperor’s new security indicators. In: IEEE symposium on security and privacy, pp 51–65
Sogohian C, Stamm S (2010) Certified lies: detecting and defeating government interception attacks against SSL. In: HotPETs
Stevens M, Sotirov A, Appelbaum J, Lenstra A, Molnar D, Osvik DA, Weger B (2009) Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Cryptology conference on advances in cryptology, pp 55–69
Sunshine J, Egelman S, Almuhimedi H, Atri N, Cranor LF (2009) Crying wolf: an empirical study of SSL warning effectiveness. In: USENIX security symposium, USENIX Association, pp 399–416
Wendlandt D, Andersen DG, Perrig A (2008) Perspectives: improving SSH-style host authentication with multi-path probing. In: USENIX Annual Technical Conference (Usenix ATC)
Whalen T, Inkpen KM (2005) Gathering evidence: use of visual security cues in web browsers. In: Proceedings of graphics interface 2005, GI ’05, Canadian Human-Computer Communications Society, School of Computer Science, University of Waterloo, Waterloo, Ontario, Canada, pp 137–144
Acknowledgements
We would like to thank Jens Grossklags for his valuable insights and feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, JP. (2013). The Inconvenient Truth About Web Certificates. In: Schneier, B. (eds) Economics of Information Security and Privacy III. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-1981-5_5
Download citation
DOI: https://doi.org/10.1007/978-1-4614-1981-5_5
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-1980-8
Online ISBN: 978-1-4614-1981-5
eBook Packages: Computer ScienceComputer Science (R0)