On the Usability of HTTPS Deployment

Bernhard, Matthew; Sharman, Jonathan P.; Acemyan, Claudia Ziegler; Kortum, Philip; Wallach, Dan S.; Halderman, J. Alex

doi:10.1145/3290605.3300540

Cited by 11 publications

(10 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our work suggests that the current approach of sub-optimal defaults along with online recommendations that guide operators to fix those settings, is fundamentally broken. We echo previous studies' calls for fixing systems to be secure by default [36,57]. We also encourage future studies to consider SaaS services separately from individually-configured services since aggregate statistics can otherwise be misleading.…”

Section: Introductionsupporting

confidence: 67%

“…The HTTPS ecosystem and Web PKI has been subject to much attention and there is a large body of prior work analyzing server usability and misconfiguration [36,57], TLS clients and interception [40,46,51,54], server configuration [42,43,56,60,70], TLS attacks [10, 29-31, 34, 35, 37, 38, 45, 50, 71, 72], and Web PKI [32,39,44,52,74]. We highlight relevant prior work below.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

An Empirical Analysis of HTTPS Configuration Security

Simoiu¹,

Nguyen²,

Durumeric³

2021

Preprint

View full text Add to dashboard Cite

It is notoriously difficult to securely configure HTTPS, and poor server configurations have contributed to several attacks including the FREAK, Logjam, and POODLE attacks. In this work, we empirically evaluate the TLS security posture of popular websites and endeavor to understand the configuration decisions that operators make. We correlate several sources of influence on sites' security postures, including software defaults, cloud providers, and online recommendations. We find a fragmented web ecosystem: while most websites have secure configurations, this is largely due to major cloud providers that offer secure defaults. Individually configured servers are more often insecure than not. This may be in part because common resources available to individual operators-server software defaults and online configuration guides-are frequently insecure. Our findings highlight the importance of considering SaaS services separately from individually-configured sites in measurement studies, and the need for server software to ship with secure defaults.

show abstract

Section: Introductionsupporting

confidence: 67%

Section: Related Workmentioning

confidence: 99%

An Empirical Analysis of HTTPS Configuration Security

Simoiu¹,

Nguyen²,

Durumeric³

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Prior to our work, the process of obtaining a certificate and configuring an HTTPS server was often manual and tedious [22]. First, system administrators had to recognize that they needed a certificate and navigate the confusing marketplace.…”

Section: Obtaining and Installing A Certificatementioning

confidence: 99%

“…A major barrier to wider HTTPS adoption was that deploying it was complicated, expensive, and error-prone for server operators [22,57]. Most of the difficulty involved interactions with Certificate Authorities (CAs), entities trusted by Web browsers to validate a server's identity and issue a digitally signed certificate binding the identity to the server's public key.…”

Section: Introductionmentioning

confidence: 99%

Let's Encrypt

Aas¹,

Barnes

Case

et al. 2019

Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Let's Encrypt is a free, open, and automated HTTPS certificate authority (CA) created to advance HTTPS adoption to the entire Web. Since its launch in late 2015, Let's Encrypt has grown to become the world's largest HTTPS CA, accounting for more currently valid certificates than all other browser-trusted CAs combined. By January 2019, it had issued over 538 million certificates for 223 million domain names. We describe how we built Let's Encrypt, including the architecture of the CA software system (Boulder) and the structure of the organization that operates it (ISRG), and we discuss lessons learned from the experience. We also describe the design of ACME, the IETF-standard protocol we created to automate CA-server interactions and certificate issuance, and survey the diverse ecosystem of ACME clients, including Certbot, a software agent we created to automate HTTPS deployment. Finally, we measure Let's Encrypt's impact on the Web and the CA ecosystem. We hope that the success of Let's Encrypt can provide a model for further enhancements to the Web PKI and for future Internet security infrastructure. CCS CONCEPTS • Networks → Web protocol security; • Security and privacy → Security services; Usability in security and privacy.

show abstract

“…For example, access to good documentation and reliable example code have significant impacts on solving security tasks Fischer et al, 2017;Mindermann and Wagner, 2018;Mindermann and Wager, 2020), as does priming (Naiakshina et al, 2018). Usability issues can also impact the appropriate use of other security-related systems, including Android development (Acar et al, 2016), cryptographic APIs Gorski et al, 2018;Naiakshina et al, 2019;Oliveira et al, 2018;Zeier et al, 2019), type systems (Weber et al, 2017), HTTPS deployment (Krombholz et al, 2017;Bernhard et al, 2019), OpenSSL (Ukrop and Matyas, 2018), and string and I/O APIs (Oliveira et al, 2018).…”

Section: Introductionmentioning

confidence: 99%

Bad Tools Hurt: Lessons for teaching computer security skills to undergraduates

Sharman

Acemyan²,

Kortum

et al. 2021

IJCSES

Self Cite

View full text Add to dashboard Cite

Understanding why developers continue to misuse security tools is critical to designing safer software, yet the underlying reasons developers fail to write secure code are not well understood. In order to better understand how to teach these skills, we conducted two comparatively large-scale usability studies with undergraduate CS students to assess factors that affect success rates in securing web applications against cross-site request forgery (CSRF) attacks. First, we examined the impact of providing students with example code and/or a testing tool. Next, we examined the impact of working in pairs. We found that access to relevant secure code samples gave significant benefit to security outcomes. However, access to the tool alone had no significant effect on security outcomes, and surprisingly, the same held true for the tool and example code combined. These results confirm the importance of quality example code and demonstrate the potential danger of using security tools in the classroom that have not been validated for usability. No individual differences predicted one’s ability to complete the task. We also found that working in pairs had a significant positive effect on security outcomes. These results provide useful directions for teaching computer security programming skills to undergraduate students.

show abstract

On the Usability of HTTPS Deployment

Cited by 11 publications

References 8 publications

An Empirical Analysis of HTTPS Configuration Security

An Empirical Analysis of HTTPS Configuration Security

Let's Encrypt

Bad Tools Hurt: Lessons for teaching computer security skills to undergraduates

Contact Info

Product

Resources

About