Abstract
HTTPS has been the standard for securing online communications for over 20 years. Despite the availability of tools to make the configuration process easier (e.g., Let’s Encrypt, Certbot), SSL Pulse scans show that still more than 50% of the most popular websites are poorly configured, which emphasizes room for improvement. Although a few recent studies looked at the remaining challenges for administrators in configuring HTTPS from a qualitative perspective, there is little work that produced quantitative results. Therefore, we conducted a survey with 96 experienced administrators (as opposed to a student sample) to investigate to which extent configuration problems revealed in prior studies actually exist in the wild. Our results confirm that Let’s Encrypt and ACME clients, such as Certbot, simplify configuration and maintenance for administrators, thus increasing the security of HTTPS configurations. Moreover, we extend the current body of work by examining the trust administrators put into Let’s Encrypt and Certbot. We found that trust and usability issues are currently barriers to the widespread adoption of Certbot.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
SSL Pulse—monitoring Alexa’s top million websites for the quality of SSL and TLS support https://www.ssllabs.com/ssl-pulse/.
- 2.
The finished message is a protected/encrypted with the just negotiated algorithms, and keys. It serves as a “checksum” for the other party before other (sensitive) information is shared via the session.
- 3.
X.509 is a standard format of public key certificates used e.g., for TLS, which specifies an identity and a public key and is either self-signed or signed by a certificate authority (CA).
- 4.
https://www.ssllabs.com/ssltest/ - a service which analyses the configuration, the security and the supported TLS versions.
- 5.
We applied the Holm-Bonferroni correction [16] to counteract the multiple comparisons problem for multiple-choice questions.
- 6.
- 7.
A certificate that contains a wildcard character (*) which can be used for multiple sub-domains of a domain.
References
Aas, J.: Why ninety-day lifetimes for certificates? https://letsencrypt.org/2015/11/09/why-90-days.html. Accessed 08 Jan 2021
Aas, J., et al.: Let’s encrypt: an automated certificate authority to encrypt the entire web. In: ACM SIGSAC Conference on Computer and Communications Security (CCS 2019), pp. 2473–2487 (2019)
Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: You get where you’re looking for: the impact of information sources on code security. In: IEEE Symposium on Security and Privacy (S&P 2016), pp. 289–305. IEEE (2016)
Aertsen, M., Korczyński, M., Moura, G.C., Tajalizadehkhoob, S., van den Berg, J.: No domain left behind: is let’s encrypt democratizing encryption? In: Applied Networking Research Workshop, pp. 48–54 (2017)
Akhawe, D., Amann, B., Vallentin, M., Sommer, R.: Here’s my cert, so trust me, maybe? Understanding TLS errors on the web. In: 22nd International Conference on World Wide Web, pp. 59–70 (2013)
Bernhard, M., Sharman, J., Acemyan, C.Z., Kortum, P., Wallach, D.S., Halderman, J.A.: On the usability of https deployment. In: 2019 CHI Conference on Human Factors in Computing Systems, pp. 1–10 (2019)
Chan, C., Fontugne, R., Cho, K., Goto, S.: Monitoring TLS adoption using backbone and edge traffic. In: IEEE INFOCOM 2018-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 208–213. IEEE (2018)
Cimpanu, C.: 14,766 Let’s Encrypt SSL Certificates Issued to PayPal Phishing Sites. https://www.bleepingcomputer.com/news/security/14-766-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites/. Accessed 11 Dec 2020
Clark, J., Van Oorschot, P.C.: SoK: SSL and https: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy (S&P 2013), pp. 511–525. IEEE (2013)
Durumeric, Z., Kasten, J., Bailey, M., Halderman, J.A.: Analysis of the https certificate ecosystem. In: Conference on Internet Measurement, pp. 291–304 (2013)
Durumeric, Z., et al.: The security impact of https interception. In: Network and Distributed System Security Symposium (NDSS 2017) (2017)
Fahl, S., Acar, Y., Perl, H., Smith, M.: Why eve and Mallory (also) love webmasters: a study on the root causes of SSL misconfigurations. In: ACM Symposium on Information, Computer and Communications Security, pp. 507–512 (2014)
Felt, A.P., Barnes, R., King, A., Palmer, C., Bentzel, C., Tabriz, P.: Measuring https adoption on the web. In: 26th USENIX Security Symposium (USENIX 2017), pp. 1323–1338 (2017)
GmbH SS: SoSci Survey - the Solution for Professional Online Questionnaires. https://www.soscisurvey.de/. Accessed 08 Jan 2021
Harris, I.A., Khoo, O.K., Young, J.M., Solomon, M.J., Rae, H.: Lottery incentives did not improve response rate to a mailed survey: a randomized controlled trial. J. Clin. Epidemiol. 61(6), 609–610 (2008)
Holm, S.: A simple sequentially rejective multiple test procedure. Scand. J. Stat. (1979)
Jensen, E., Laurie, C.: Doing Real Research: A Practical Guide to Social Research. Sage (2016). ISBN 978-1446273883
Kim, H.Y.: Statistical notes for clinical researchers: chi-squared test and Fisher’s exact test. Restorative Dentistry Endod. 42(2) (2017)
Krippendorff, K.: Content Analysis: An Introduction to It’s Methodology, pp. 241–243. SAGE Publications (2004)
Krombholz, K., Busse, K., Pfeffer, K., Smith, M., von Zezschwitz, E.: “If HTTPS were secure, I wouldn’t need 2FA”-end user and administrator mental models of HTTPS. In: IEEE Symposium on Security and Privacy (S&P 2019) (2019)
Krombholz, K., Mayer, W., Schmiedecker, M., Weippl, E.: “I have no idea what I’m doing”-on the usability of deploying HTTPS. In: 26th USENIX Security Symposium (USENIX 2017), pp. 1339–1356 (2017)
Laguilles, J.S., Williams, E.A., Saunders, D.B.: Can lottery incentives boost web survey response rates? Findings from four experiments. Res. High. Educ. 52(5), 537–553 (2011)
Lee, J.H., Song, C.H.: Effects of trust and perceived risk on user acceptance of a new technology service. Soc. Behav. Personal. Int. J. 41(4), 587–597 (2013)
Lenth, R.V.: Some practical guidelines for effective sample size determination. Am. Stat. 55(3) (2001)
Lipsey, M.W.: Design Sensitivity: Statistical Power for Experimental Research. Sage (1989). ISBN 978-0803930636
Liu, S.: Software developer gender distribution worldwide as of early (2020). https://www.statista.com/statistics/1126823/worldwide-developer-gender/. Accessed 10 Jan 2021
Manousis, A., Ragsdale, R., Draffin, B., Agrawal, A., Sekar, V.: Shedding light on the adoption of let’s encrypt. arXiv preprint arXiv:1611.00469 (2016)
Naiakshina, A., Danilova, A., Tiefenau, C., Smith, M.: Deception task design in developer password studies: exploring a student sample. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pp. 297–313 (2018)
Nor, K.M., Pearson, J.M.: The influence of trust on internet banking acceptance. J. Internet Banking Commer. 12(2), 1–10 (1970)
Oltrogge, M., Acar, Y., Dechand, S., Smith, M., Fahl, S.: To pin or not to pin-helping app developers bullet proof their TLS connections. In: 24th USENIX Security Symposium (USENIX 2015), pp. 239–254 (2015)
Parsovs, A.: Practical issues with TLS client certificate authentication. In: Network and Distributed System Security Symposium (NDSS 2014), vol. 14, pp. 23–26 (2014)
Pfeffer, K., et al.: On the usability of authenticity checks for hardware security tokens. In: 30th USENIX Security Symposium (USENIX 2021) (2021)
Redmiles, E.M., Malone, A.R., Mazurek, M.L.: I think they’re trying to tell me something: advice sources and selection for digital security. In: IEEE Symposium on Security and Privacy (S&P 2016), pp. 272–288. IEEE (2016)
Tiefenau, C., von Zezschwitz, E., Häring, M., Krombholz, K., Smith, M.: A usability evaluation of let’s encrypt and certbot: usable security done right. In: ACM SIGSAC Conference on Computer and Communications Security (CCS 2019), pp. 1971–1988 (2019)
Yakdan, K., Dechand, S., Gerhards-Padilla, E., Smith, M.: Helping Johnny to analyze malware: a usability-optimized decompiler and malware analysis user study. In: IEEE Symposium on Security and Privacy (S&P 2016), pp. 158–177. IEEE (2016)
Acknowledgment
This material is based upon work partially supported by the Industry-related Dissertation funding program. SBA Research (SBA-K1) is a COMET Centre within the framework of COMET - Competence Centers for Excellent Technologies Programme and funded by BMK, BMDW, and the province of Vienna. The programs are both managed by FFG.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mai, A., Schedler, O., Weippl, E., Krombholz, K. (2022). Are HTTPS Configurations Still a Challenge?: Validating Theories of Administrators’ Difficulties with TLS Configurations. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2022. Lecture Notes in Computer Science, vol 13333. Springer, Cham. https://doi.org/10.1007/978-3-031-05563-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-05563-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-05562-1
Online ISBN: 978-3-031-05563-8
eBook Packages: Computer ScienceComputer Science (R0)