Security Collapse in the HTTPS Market | ACM Queue

Axel Arnbak, Hadi Asghari, Michel van Eeten, Nico Van Eijk; Security Collapse in the HTTPS Market; In ACM Queue; Volume 12, issue 8; 2014-09-23
Teaser: Assessing legal and technical solutions to secure HTTPS

Mentions

  • <quote> An outdated implementation, as long as the browser accepts it, appears similar to the state-of-the-art implementation.</quote>
  • SSL Pulse, a dashboard of the Trustworthy Internet Movement, 2016-03-05, commencing 2012-04-25.
  • Much of the value proposition in PKI comes from the “trust signals” (the badging) that does nothing.

Argot

  • Hypertext Transfer Protocol Secure (HTTPS)
  • Transport Layer Security (TLS)
  • Secure Sockets Layer (SSL)
  • Certificate Authority (CA)
  • Validation Levels
    • Domain Validated DV)
    • Organization Validated (OV)
    • Extended Validation (EV)

Breaches

  • DigiNotar
  • Comodo
  • Verisigh
  • Trustwave

Failures

  • OpenSSL
  • Apple #gotofail
  • OpenSSL Hearbleed
  • BULLRUN
  • MUSCULAR
  • FLYING PIG
  • DigiNotar
    • 2011
    • Dutch

Transparency Proposals

  • Convergence
  • Perspectives
  • DANE
  • Sovereign Keys
  • Certificate Transparency
  • Public Key Pinning
  • TACK

Vulnerabilities

  • Weakest link
  • Information assymetry
  • ineffective auditing
  • Liability dumping

Mapping the Market

  • CA of GoDaddy had signed 26 percent of all valid HTTPS certificates in March 2013.
  • …other factoids…

References

35 references