Analyzing Proposals for Improving Authentication on the TLS/SSL-Protected Web

  • Christopher W. Brown
  • Michael Jenkins
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8893)


“Secure” web browsing with HTTPS uses TLS/SSL and X.509 certificates to provide authenticated, confidential communication between web clients and webservers. The authentication component of the system has a variety of weaknesses, which have led to a variety of proposals for improving the current environment. In this paper we survey, analyze, compare and contrast three prominent proposals. To do this, we attempt to systematically capture the properties one might require of such a system: authentication properties, forensics/privacy properties, usability properties, and pragmatic properties. Enumerating these properties is an important part of understanding these proposals and the nature of the authentication problem for the secure web. Finally, we offer a few conclusions and suggestions pertaining to these proposals, and possible future directions of research.


web security authentication TLS HTTPS certificates 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1. RFC 5246, RFC Editor (April 2006)Google Scholar
  2. 2.
    Housley, R., Santesson, S.: Update to directorystring processing in the internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 5280, RFC Editor (August 2006)Google Scholar
  3. 3.
    Herley, C.: So long, and no thanks for the externalities: the rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop, NSPW 2009, pp. 133–144. ACM, New York (2009)CrossRefGoogle Scholar
  4. 4.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of ssl warning effectiveness. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 399–416. USENIX Association, Berkeley (2009)Google Scholar
  5. 5.
    Marlinspike, M., Perrin, T.: Trust assertions for certificate keys. Internet-Draft draft-perrin-tls-tack-02, IETF Secretariat (January 2013)Google Scholar
  6. 6.
    Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving ssh-style host authentication with multi-path probing. In: USENIX 2008 Annual Technical Conference on Annual Technical Conference, ATC 2008, pp. 321–334. USENIX Association, Berkeley (2008)Google Scholar
  7. 7.
    CA/Browser Forum. Guidelines for the issuance and management of extended validation certificates (March 2014),
  8. 8.
    Hoffman, P., Schlyter, J.: The DNS-based authentication of named entities (DANE) transport layer security (tls) protocol: TLSA. RFC 6698, RFC Editor (August 2012)Google Scholar
  9. 9.
    National Institute of Standards and Technology (NIST),
  10. 10.
    Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962, RFC Editor (June 2013)Google Scholar
  11. 11.
    Evans, C., Palmer, C., Sleevi, R.: Public key pinning extension for http. Internet-Draft draft-ietf-websec-key-pinning-08, IETF Secretariat (July 2013)Google Scholar
  12. 12.
    Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management - part 1: General (revision 3). Technical Report NIST Special Publication 800-57, National Institute of Standards and Technology (March 2007)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Christopher W. Brown
    • 1
  • Michael Jenkins
    • 2
  1. 1.National Security Agency / U. S. Naval AcademyAnnapolisUSA
  2. 2.National Security AgencyMarylandUSA

Personalised recommendations