Security Economics in the HTTPS Value Chain

Asghari, Hadi; Eeten, Michel van; Arnbak, A.; Eijk, N.A.N.M. van

doi:10.2139/ssrn.2277806

Cited by 18 publications

(18 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To illustrate this, Table I shows the fraction of sessions associated with different browser versions. Here, the latest officially released [8]. Although our dataset includes 750 authority certificates, we find that the vast majority of non-self-signed leaf certificates are issued by only a handful of organizations.…”

Section: Trust Relationship Analysismentioning

confidence: 99%

“…The top-five organizations signing leaf certificates are Comodo CA Limited (with 22.9% of the sessions), Go Daddy (18.1%), GeoTrust (16.3%), DigiCert (9.4%), GlobalSign (6.8%). Part of this skew is due to rich-get-richer effects as buyers often select popular CAs as these may be less likely to be removed from root stores [8].…”

Section: Trust Relationship Analysismentioning

confidence: 99%

See 1 more Smart Citation

Characterizing the HTTPS Trust Landscape: A Passive View from the Edge

Ouvrier

Laterman²,

Arlitt

et al. 2017

IEEE Commun. Mag.

View full text Add to dashboard Cite

Our society increasingly relies on web-based services like online banking, shopping, and socializing. Many of these services heavily depend on secure end-to-end transactions to transfer personal, financial, and other sensitive information. At the core of ensuring secure transactions are the HTTPS protocol and the "trust" relationships between many involved parties, including users, browsers, servers, domain owners, and the third-party Certification Authorities (CAs) that issue certificates binding ownership of public keys with servers and domains. This article presents an overview of the current trust landscape and provides statistics to illustrate and quantify some of the risks facing typical users. Using measurement results obtained through passive monitoring of the HTTPS traffic between a campus network and the Internet, we provide concrete examples and characterize the certificate usage and trust relationships in this complex landscape. By comparing our observations against known vulnerabilities and problems, we highlight and discuss the actual security that typical Internet users (such as the people on campus) experience. Our measurements cover both mobile and stationary users, consider the involved trust relationships, and provide insights into how the HTTPS protocol is used and the weaknesses observed in practice. While the security properties vary significantly between sessions, out of the 232 million HTTPS sessions we observed, more than 25% had weak security properties.

show abstract

Section: Trust Relationship Analysismentioning

confidence: 99%

Section: Trust Relationship Analysismentioning

confidence: 99%

Characterizing the HTTPS Trust Landscape: A Passive View from the Edge

Ouvrier

Laterman²,

Arlitt

et al. 2017

IEEE Commun. Mag.

View full text Add to dashboard Cite

show abstract

“…Customers would be forced to choose dominant incumbents, as they are likely to remain in service, over new entrants and smaller providers. This is seen in the certification industry, which is extremely concentrated [52]. Technically getting website certificate from a smaller certification authority is the same as getting one from a dominant market player.…”

Section: B Case Study 2: Botnet Takedownsmentioning

confidence: 99%

“…A discussion of the negative effects of market monopolies is beyond the scope of this paper. However, Asghari et al [52] note that even when certain certification authorities provide certificates for free, their services are not adopted in the market.…”

Section: B Case Study 2: Botnet Takedownsmentioning

confidence: 99%

Spare the rod, spoil the network security? Economic analysis of sanctions online

Garg

Camp

2015

2015 APWG Symposium on Electronic Crime Research (eCrime)

View full text Add to dashboard Cite

When and how should we encourage network providers to mitigate the harm of security and privacy risks? Poorly designed interventions that do not align with economic incentives can lead stakeholders to be less, rather than more, careful. We apply an economic framework that compares two fundamental regulatory approaches: risk based or ex ante and harm based or ex post. We posit that for well known security risks, such as botnets, ex ante sanctions are economically efficient. Systematic best practices, e.g. patching, can reduce the risk of becoming a bot and thus can be implemented ex ante. Conversely risks, which are contextual, poorly understood, and new, and where distribution of harm is difficult to estimate, should incur ex post sanctions, e.g. information disclosure. Privacy preferences and potential harm vary widely across domains; thus, post-hoc consideration of harm is more appropriate for privacy risks. We examine two current policy and enforcement efforts, i.e. Do Not Track and botnet takedowns, under the ex ante vs. ex post framework. We argue that these efforts may worsen security and privacy outcomes, as they distort market forces, reduce competition, or create artificial monopolies. Finally, we address the overlap between security and privacy risks.

show abstract

“…al. [AEAE13] offer an interesting perspective on improving SSL/TLS flaws in HTTPS protocol through the analysis of a potential market for such certificates. Based on their findings, they propose a combination of regulatory response and targeted economic incentives to modify HTTPS design.…”

Section: Economic Impact Of Adverse Eventsmentioning

confidence: 99%

Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment

Vishik¹,

Sheldon

Ott³

2013

ISSE 2013 Securing Electronic Business Processes

View full text Add to dashboard Cite

Cybersecurity practice lags behind cyber technology achievements. Solutions designed to address many problems may and do exist but frequently cannot be broadly deployed due to economic constraints. Whereas security economics focuses on the cost/benefit analysis and supply/demand, we believe that more sophisticated theoretical approaches, such as economic modeling, rarely utilized, would derive greater societal benefits. Unfortunately, today technologists pursuing interesting and elegant solutions have little knowledge of the feasibility for broad deployment of their results and cannot anticipate the influences of other technologies, existing infrastructure, and technology evolution, nor bring the solutions lifecycle into the equation. Additionally, potentially viable solutions are not adopted because the risk perceptions by potential providers and users far outweighs the economic incentives to support introduction/adoption of new best practices and technologies that are not well enough defined. In some cases, there is no alignment with predominant and future business models as well as regulatory and policy requirements.This paper provides an overview of the economics of security, reviewing work that helped to define economic models for the Internet economy from the 1990s. We bring forward examples of potential use of theoretical economics in defining metrics for emerging technology areas, positioning infrastructure investment, and building real-time response capability as part of software development. These diverse examples help us understand the gaps in current research. Filling these gaps will be instrumental for defining viable economic incentives, economic policies, regulations as well as early-stage technology development approaches, that can speed up commercialization and deployment of new technologies in cybersecurity.

show abstract

Security Economics in the HTTPS Value Chain

Cited by 18 publications

References 3 publications

Characterizing the HTTPS Trust Landscape: A Passive View from the Edge

Characterizing the HTTPS Trust Landscape: A Passive View from the Edge

Spare the rod, spoil the network security? Economic analysis of sanctions online

Economic Incentives for Cybersecurity: Using Economics to Design Technologies Ready for Deployment

Contact Info

Product

Resources

About