The Inconvenient Truth About Web Certificates View Full Text


Ontology type: schema:Chapter      Open Access: True


Chapter Info

DATE

2013

AUTHORS

Nevena Vratonjic , Julien Freudiger , Vincent Bindschaedler , Jean-Pierre Hubaux

ABSTRACT

HTTPS is the de facto standard for securing Internet communications. Although it is widely deployed, the security provided with HTTPS in practice is dubious. HTTPS may fail to provide security for multiple reasons, mostly due to certificate-based authentication failures. Given the importance of HTTPS, we investigate the current scale and practices of HTTPS and certificate-based deployment. We provide a large-scale empirical analysis that considers the top one million most popular websites. Our results show that very few websites implement certificate-based authentication properly. In most cases, domain mismatches between certificates and websites are observed. We study the economic, legal and social aspects of the problem. We identify causes and implications of the profit-oriented attitude of CAs and show how the current economic model leads to the distribution of cheap certificates for cheap security. Finally, we suggest possible changes to improve certificate-based authentication. More... »

PAGES

79-117

References to SciGraph publications

  • 2004. Improving Information Flow in the Information Security Market in ECONOMICS OF INFORMATION SECURITY
  • 2009. Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate in ADVANCES IN CRYPTOLOGY - CRYPTO 2009
  • 2007. Information Security Economics – and Beyond in ADVANCES IN CRYPTOLOGY - CRYPTO 2007
  • 2010. Measuring the Perpetrators and Funders of Typosquatting in FINANCIAL CRYPTOGRAPHY AND DATA SECURITY
  • 2005. Key Length in BRUTE FORCE
  • Book

    TITLE

    Economics of Information Security and Privacy III

    ISBN

    978-1-4614-1980-8
    978-1-4614-1981-5

    Identifiers

    URI

    http://scigraph.springernature.com/pub.10.1007/978-1-4614-1981-5_5

    DOI

    http://dx.doi.org/10.1007/978-1-4614-1981-5_5

    DIMENSIONS

    https://app.dimensions.ai/details/publication/pub.1038919587


    Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
    Incoming Citations Browse incoming citations for this publication using opencitations.net

    JSON-LD is the canonical representation for SciGraph data.

    TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

    [
      {
        "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
        "about": [
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0804", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Data Format", 
            "type": "DefinedTerm"
          }, 
          {
            "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
            "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
            "name": "Information and Computing Sciences", 
            "type": "DefinedTerm"
          }
        ], 
        "author": [
          {
            "affiliation": {
              "alternateName": "\u00c9cole Polytechnique F\u00e9d\u00e9rale de Lausanne", 
              "id": "https://www.grid.ac/institutes/grid.5333.6", 
              "name": [
                "School of Computer and Communication Sciences, EPFL, Lausanne, Switzerland"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Vratonjic", 
            "givenName": "Nevena", 
            "id": "sg:person.012623312341.27", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012623312341.27"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "\u00c9cole Polytechnique F\u00e9d\u00e9rale de Lausanne", 
              "id": "https://www.grid.ac/institutes/grid.5333.6", 
              "name": [
                "School of Computer and Communication Sciences, EPFL, Lausanne, Switzerland"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Freudiger", 
            "givenName": "Julien", 
            "id": "sg:person.010250253123.68", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010250253123.68"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "\u00c9cole Polytechnique F\u00e9d\u00e9rale de Lausanne", 
              "id": "https://www.grid.ac/institutes/grid.5333.6", 
              "name": [
                "School of Computer and Communication Sciences, EPFL, Lausanne, Switzerland"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Bindschaedler", 
            "givenName": "Vincent", 
            "id": "sg:person.07444533041.72", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.07444533041.72"
            ], 
            "type": "Person"
          }, 
          {
            "affiliation": {
              "alternateName": "\u00c9cole Polytechnique F\u00e9d\u00e9rale de Lausanne", 
              "id": "https://www.grid.ac/institutes/grid.5333.6", 
              "name": [
                "School of Computer and Communication Sciences, EPFL, Lausanne, Switzerland"
              ], 
              "type": "Organization"
            }, 
            "familyName": "Hubaux", 
            "givenName": "Jean-Pierre", 
            "id": "sg:person.013552656710.60", 
            "sameAs": [
              "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013552656710.60"
            ], 
            "type": "Person"
          }
        ], 
        "citation": [
          {
            "id": "https://doi.org/10.1145/1124772.1124861", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1003721226"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1145/1367497.1367569", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1004894044"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-642-14577-3_15", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1005728883", 
              "https://doi.org/10.1007/978-3-642-14577-3_15"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-642-14577-3_15", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1005728883", 
              "https://doi.org/10.1007/978-3-642-14577-3_15"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/1-4020-8090-5_12", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1006011886", 
              "https://doi.org/10.1007/1-4020-8090-5_12"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1145/1143120.1143131", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1013285016"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1145/1391949.1391950", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1022686778"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1145/1655008.1655012", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1026396859"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/0-387-27160-0_4", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1032757728", 
              "https://doi.org/10.1007/0-387-27160-0_4"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-642-03356-8_4", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1037125946", 
              "https://doi.org/10.1007/978-3-642-03356-8_4"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-540-74143-5_5", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1043275917", 
              "https://doi.org/10.1007/978-3-540-74143-5_5"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "sg:pub.10.1007/978-3-540-74143-5_5", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1043275917", 
              "https://doi.org/10.1007/978-3-540-74143-5_5"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1145/1073001.1073006", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1049875619"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/msp.2008.131", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1061422984"
            ], 
            "type": "CreativeWork"
          }, 
          {
            "id": "https://doi.org/10.1109/sp.2007.35", 
            "sameAs": [
              "https://app.dimensions.ai/details/publication/pub.1093997025"
            ], 
            "type": "CreativeWork"
          }
        ], 
        "datePublished": "2013", 
        "datePublishedReg": "2013-01-01", 
        "description": "HTTPS is the de facto standard for securing Internet communications. Although it is widely deployed, the security provided with HTTPS in practice is dubious. HTTPS may fail to provide security for multiple reasons, mostly due to certificate-based authentication failures. Given the importance of HTTPS, we investigate the current scale and practices of HTTPS and certificate-based deployment. We provide a large-scale empirical analysis that considers the top one million most popular websites. Our results show that very few websites implement certificate-based authentication properly. In most cases, domain mismatches between certificates and websites are observed. We study the economic, legal and social aspects of the problem. We identify causes and implications of the profit-oriented attitude of CAs and show how the current economic model leads to the distribution of cheap certificates for cheap security. Finally, we suggest possible changes to improve certificate-based authentication.", 
        "editor": [
          {
            "familyName": "Schneier", 
            "givenName": "Bruce", 
            "type": "Person"
          }
        ], 
        "genre": "chapter", 
        "id": "sg:pub.10.1007/978-1-4614-1981-5_5", 
        "inLanguage": [
          "en"
        ], 
        "isAccessibleForFree": true, 
        "isPartOf": {
          "isbn": [
            "978-1-4614-1980-8", 
            "978-1-4614-1981-5"
          ], 
          "name": "Economics of Information Security and Privacy III", 
          "type": "Book"
        }, 
        "name": "The Inconvenient Truth About Web Certificates", 
        "pagination": "79-117", 
        "productId": [
          {
            "name": "doi", 
            "type": "PropertyValue", 
            "value": [
              "10.1007/978-1-4614-1981-5_5"
            ]
          }, 
          {
            "name": "readcube_id", 
            "type": "PropertyValue", 
            "value": [
              "b964a33233c28d7b83983d3b21d432c10ab36c110cf9750a6e0685f6d5a599cf"
            ]
          }, 
          {
            "name": "dimensions_id", 
            "type": "PropertyValue", 
            "value": [
              "pub.1038919587"
            ]
          }
        ], 
        "publisher": {
          "location": "New York, NY", 
          "name": "Springer New York", 
          "type": "Organisation"
        }, 
        "sameAs": [
          "https://doi.org/10.1007/978-1-4614-1981-5_5", 
          "https://app.dimensions.ai/details/publication/pub.1038919587"
        ], 
        "sdDataset": "chapters", 
        "sdDatePublished": "2019-04-15T11:36", 
        "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
        "sdPublisher": {
          "name": "Springer Nature - SN SciGraph project", 
          "type": "Organization"
        }, 
        "sdSource": "s3://com-uberresearch-data-dimensions-target-20181106-alternative/cleanup/v134/2549eaecd7973599484d7c17b260dba0a4ecb94b/merge/v9/a6c9fde33151104705d4d7ff012ea9563521a3ce/jats-lookup/v90/0000000001_0000000264/records_8660_00000267.jsonl", 
        "type": "Chapter", 
        "url": "http://link.springer.com/10.1007/978-1-4614-1981-5_5"
      }
    ]
     

    Download the RDF metadata as:  json-ld nt turtle xml License info

    HOW TO GET THIS DATA PROGRAMMATICALLY:

    JSON-LD is a popular format for linked data which is fully compatible with JSON.

    curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-1-4614-1981-5_5'

    N-Triples is a line-based linked data format ideal for batch operations.

    curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-1-4614-1981-5_5'

    Turtle is a human-readable linked data format.

    curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-1-4614-1981-5_5'

    RDF/XML is a standard XML format for linked data.

    curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-1-4614-1981-5_5'


     

    This table displays all metadata directly associated to this object as RDF triples.

    130 TRIPLES      23 PREDICATES      40 URIs      20 LITERALS      8 BLANK NODES

    Subject Predicate Object
    1 sg:pub.10.1007/978-1-4614-1981-5_5 schema:about anzsrc-for:08
    2 anzsrc-for:0804
    3 schema:author Nb20e3c77f03c497694fc5844b5d6ed3d
    4 schema:citation sg:pub.10.1007/0-387-27160-0_4
    5 sg:pub.10.1007/1-4020-8090-5_12
    6 sg:pub.10.1007/978-3-540-74143-5_5
    7 sg:pub.10.1007/978-3-642-03356-8_4
    8 sg:pub.10.1007/978-3-642-14577-3_15
    9 https://doi.org/10.1109/msp.2008.131
    10 https://doi.org/10.1109/sp.2007.35
    11 https://doi.org/10.1145/1073001.1073006
    12 https://doi.org/10.1145/1124772.1124861
    13 https://doi.org/10.1145/1143120.1143131
    14 https://doi.org/10.1145/1367497.1367569
    15 https://doi.org/10.1145/1391949.1391950
    16 https://doi.org/10.1145/1655008.1655012
    17 schema:datePublished 2013
    18 schema:datePublishedReg 2013-01-01
    19 schema:description HTTPS is the de facto standard for securing Internet communications. Although it is widely deployed, the security provided with HTTPS in practice is dubious. HTTPS may fail to provide security for multiple reasons, mostly due to certificate-based authentication failures. Given the importance of HTTPS, we investigate the current scale and practices of HTTPS and certificate-based deployment. We provide a large-scale empirical analysis that considers the top one million most popular websites. Our results show that very few websites implement certificate-based authentication properly. In most cases, domain mismatches between certificates and websites are observed. We study the economic, legal and social aspects of the problem. We identify causes and implications of the profit-oriented attitude of CAs and show how the current economic model leads to the distribution of cheap certificates for cheap security. Finally, we suggest possible changes to improve certificate-based authentication.
    20 schema:editor Nae69663ef63d456388b6b928857d2870
    21 schema:genre chapter
    22 schema:inLanguage en
    23 schema:isAccessibleForFree true
    24 schema:isPartOf N1c2f52e4f8bc4d9c8b05706376ceaa58
    25 schema:name The Inconvenient Truth About Web Certificates
    26 schema:pagination 79-117
    27 schema:productId N2965720f356a47589ba5e70391c1a85b
    28 N35bde633427041b484651d9f71302d63
    29 N6918449dfe0541c497b1570341da1cb1
    30 schema:publisher N7256e67f49594680b3f53f80550b1531
    31 schema:sameAs https://app.dimensions.ai/details/publication/pub.1038919587
    32 https://doi.org/10.1007/978-1-4614-1981-5_5
    33 schema:sdDatePublished 2019-04-15T11:36
    34 schema:sdLicense https://scigraph.springernature.com/explorer/license/
    35 schema:sdPublisher N6af4b0148529480c946c0d3a20563c1c
    36 schema:url http://link.springer.com/10.1007/978-1-4614-1981-5_5
    37 sgo:license sg:explorer/license/
    38 sgo:sdDataset chapters
    39 rdf:type schema:Chapter
    40 N1c2f52e4f8bc4d9c8b05706376ceaa58 schema:isbn 978-1-4614-1980-8
    41 978-1-4614-1981-5
    42 schema:name Economics of Information Security and Privacy III
    43 rdf:type schema:Book
    44 N2965720f356a47589ba5e70391c1a85b schema:name dimensions_id
    45 schema:value pub.1038919587
    46 rdf:type schema:PropertyValue
    47 N35bde633427041b484651d9f71302d63 schema:name doi
    48 schema:value 10.1007/978-1-4614-1981-5_5
    49 rdf:type schema:PropertyValue
    50 N4e21993ef4054a0ab25fa895e4d45a2e rdf:first sg:person.010250253123.68
    51 rdf:rest N51b0c55510ab4d108e15b54fdab70d17
    52 N51b0c55510ab4d108e15b54fdab70d17 rdf:first sg:person.07444533041.72
    53 rdf:rest Ndddc79dae4a549acb7c3f59c49412cad
    54 N6918449dfe0541c497b1570341da1cb1 schema:name readcube_id
    55 schema:value b964a33233c28d7b83983d3b21d432c10ab36c110cf9750a6e0685f6d5a599cf
    56 rdf:type schema:PropertyValue
    57 N6af4b0148529480c946c0d3a20563c1c schema:name Springer Nature - SN SciGraph project
    58 rdf:type schema:Organization
    59 N7256e67f49594680b3f53f80550b1531 schema:location New York, NY
    60 schema:name Springer New York
    61 rdf:type schema:Organisation
    62 Nae69663ef63d456388b6b928857d2870 rdf:first Nf1c542855a954fd08d2c03c152c2ceff
    63 rdf:rest rdf:nil
    64 Nb20e3c77f03c497694fc5844b5d6ed3d rdf:first sg:person.012623312341.27
    65 rdf:rest N4e21993ef4054a0ab25fa895e4d45a2e
    66 Ndddc79dae4a549acb7c3f59c49412cad rdf:first sg:person.013552656710.60
    67 rdf:rest rdf:nil
    68 Nf1c542855a954fd08d2c03c152c2ceff schema:familyName Schneier
    69 schema:givenName Bruce
    70 rdf:type schema:Person
    71 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
    72 schema:name Information and Computing Sciences
    73 rdf:type schema:DefinedTerm
    74 anzsrc-for:0804 schema:inDefinedTermSet anzsrc-for:
    75 schema:name Data Format
    76 rdf:type schema:DefinedTerm
    77 sg:person.010250253123.68 schema:affiliation https://www.grid.ac/institutes/grid.5333.6
    78 schema:familyName Freudiger
    79 schema:givenName Julien
    80 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.010250253123.68
    81 rdf:type schema:Person
    82 sg:person.012623312341.27 schema:affiliation https://www.grid.ac/institutes/grid.5333.6
    83 schema:familyName Vratonjic
    84 schema:givenName Nevena
    85 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.012623312341.27
    86 rdf:type schema:Person
    87 sg:person.013552656710.60 schema:affiliation https://www.grid.ac/institutes/grid.5333.6
    88 schema:familyName Hubaux
    89 schema:givenName Jean-Pierre
    90 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013552656710.60
    91 rdf:type schema:Person
    92 sg:person.07444533041.72 schema:affiliation https://www.grid.ac/institutes/grid.5333.6
    93 schema:familyName Bindschaedler
    94 schema:givenName Vincent
    95 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.07444533041.72
    96 rdf:type schema:Person
    97 sg:pub.10.1007/0-387-27160-0_4 schema:sameAs https://app.dimensions.ai/details/publication/pub.1032757728
    98 https://doi.org/10.1007/0-387-27160-0_4
    99 rdf:type schema:CreativeWork
    100 sg:pub.10.1007/1-4020-8090-5_12 schema:sameAs https://app.dimensions.ai/details/publication/pub.1006011886
    101 https://doi.org/10.1007/1-4020-8090-5_12
    102 rdf:type schema:CreativeWork
    103 sg:pub.10.1007/978-3-540-74143-5_5 schema:sameAs https://app.dimensions.ai/details/publication/pub.1043275917
    104 https://doi.org/10.1007/978-3-540-74143-5_5
    105 rdf:type schema:CreativeWork
    106 sg:pub.10.1007/978-3-642-03356-8_4 schema:sameAs https://app.dimensions.ai/details/publication/pub.1037125946
    107 https://doi.org/10.1007/978-3-642-03356-8_4
    108 rdf:type schema:CreativeWork
    109 sg:pub.10.1007/978-3-642-14577-3_15 schema:sameAs https://app.dimensions.ai/details/publication/pub.1005728883
    110 https://doi.org/10.1007/978-3-642-14577-3_15
    111 rdf:type schema:CreativeWork
    112 https://doi.org/10.1109/msp.2008.131 schema:sameAs https://app.dimensions.ai/details/publication/pub.1061422984
    113 rdf:type schema:CreativeWork
    114 https://doi.org/10.1109/sp.2007.35 schema:sameAs https://app.dimensions.ai/details/publication/pub.1093997025
    115 rdf:type schema:CreativeWork
    116 https://doi.org/10.1145/1073001.1073006 schema:sameAs https://app.dimensions.ai/details/publication/pub.1049875619
    117 rdf:type schema:CreativeWork
    118 https://doi.org/10.1145/1124772.1124861 schema:sameAs https://app.dimensions.ai/details/publication/pub.1003721226
    119 rdf:type schema:CreativeWork
    120 https://doi.org/10.1145/1143120.1143131 schema:sameAs https://app.dimensions.ai/details/publication/pub.1013285016
    121 rdf:type schema:CreativeWork
    122 https://doi.org/10.1145/1367497.1367569 schema:sameAs https://app.dimensions.ai/details/publication/pub.1004894044
    123 rdf:type schema:CreativeWork
    124 https://doi.org/10.1145/1391949.1391950 schema:sameAs https://app.dimensions.ai/details/publication/pub.1022686778
    125 rdf:type schema:CreativeWork
    126 https://doi.org/10.1145/1655008.1655012 schema:sameAs https://app.dimensions.ai/details/publication/pub.1026396859
    127 rdf:type schema:CreativeWork
    128 https://www.grid.ac/institutes/grid.5333.6 schema:alternateName École Polytechnique Fédérale de Lausanne
    129 schema:name School of Computer and Communication Sciences, EPFL, Lausanne, Switzerland
    130 rdf:type schema:Organization
     




    Preview window. Press ESC to close (or click here)


    ...