Skip to main content
Springer Nature Link
Log in

The Inconvenient Truth About Web Certificates

  • Conference paper
  • First Online:
Economics of Information Security and Privacy III

Abstract

HTTPS is the de facto standard for securing Internet communications. Although it is widely deployed, the security provided with HTTPS in practice is dubious. HTTPS may fail to provide security for multiple reasons, mostly due to certificate-based authentication failures. Given the importance of HTTPS, we investigate the current scale and practices of HTTPS and certificate-based deployment. We provide a large-scale empirical analysis that considers the top one million most popular websites. Our results show that very few websites implement certificate-based authentication properly. In most cases, domain mismatches between certificates and websites are observed. We study the economic, legal and social aspects of the problem. We identify causes and implications of the profit-oriented attitude of CAs and show how the current economic model leads to the distribution of cheap certificates for cheap security. Finally, we suggest possible changes to improve certificate-based authentication.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The legitimate domain is bankofamerica.com.

  2. 2.

    E-banking URL of ubs.com: https://ebanking1.ubs.com/en/OGJNCMHIFJJEIBAKJBDHLMBJFELALLHGKIJDACFGIEDK HLBJCBPLHMOOKDAHFFKONKKKAMPMNAEDFPCIOENKBGNEGNBDKJNN6Aes21WHTRFkGdlzvKKjjyZeB+GNeAGf-jzjgiO2LFw

  3. 3.

    To illustrate how Alexa sorts websites into categories, we provide the list of top five websites per category in Appendix.

  4. 4.

    A wildcard “*” stands for at most one level of subdomain, i.e. *.domain.tld matches subdomain.domain.tld but not subsubdomain.subdomain.domain.tld.

  5. 5.

    Expiration periods are computed with respect to February 2010.

  6. 6.

    Even though some CAs (e.g., Equifax and Thawte) were acquired by VeriSign, we refer to them as separate CAs as they offer different products and services and have different policies.

References

  1. VeriSign Inc. URL http://www.verisign.com/ssl/buy-ssl-certificates/secure-site-services/index.html

  2. The SSL Protocol, Version 3.0 (1996) URL http://tools.ietf.org/html/draft-ietf-tls-ssl-version3-00

  3. Internet X.509 Public Key Infrastructure Certificate and CRL Profile (1999) URL http://www.ietf.org/rfc/rfc2459.txt

  4. The TLS Protocol, Version 1.0 (1999) URL http://tools.ietf.org/html/rfc2246

  5. HTTP Over TLS (2000) URL http://tools.ietf.org/html/rfc2818

  6. Cardholders targetted by Phishing attack using visa-secure.com (2004) URL http://news.netcraft.com/archives/2004/10/08/cardholders_targetted_by_phishing_attack_using_visasecurecom.html

  7. Transport Layer Security (TLS) Extensions (2006) URL http://tools.ietf.org/html/rfc4366

  8. Has Firefox 3 certificate handling become too scary? (2008) URL http://www.betanews.com/article/Has-Firefox-3-certificate-handling-become-too-scary/1219180509

  9. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (2008) URL http://tools.ietf.org/html/rfc5280

  10. Tim Callan’s SSL Blog, MD5 attack resolved (2008) URL https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php

  11. EV and SSL Certificate Trends For The Top 100 Retailers (2010) URL http://www.lexiconn.com/blog/2010/09/ev-ssl-top-100-retailers/

  12. Guidelines For The Issuance And Management Of Extended Validation Certificates (2010) URL http://www.cabforum.org/Guidelines_v1_3.pdf

  13. Alexa the Web Information Company (2011) URL http://www.alexa.com/

  14. Home of the Mozilla Project (2011) URL http://www.mozilla.org/

  15. Improving SSL certificate security (2011) URL http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html

  16. OpenSSL: Documents, verify(1) (2011) URL http://www.openssl.org/docs/apps/verify.html

  17. OpenSSL: The Open Source toolkit for SSL/TLS (2011) URL http://www.openssl.org/

  18. SQLite Home Page (2011) URL http://www.sqlite.org/

  19. SSL Certificate for Mozilla.com Issued Without Validation (2011) URL http://www.sslshopper.com/article-ssl-certificate-for-mozilla.com-issued-without-validation.html

  20. The EFF SSL Observatory — Electronic Frontier Foundation (2011) URL http://www.eff.org/observatory

  21. Trusted Certificates vs. Browser Recognized Certificates (2011) URL http://www.instantssl.com/ssl-certificate-support/guides/ssl-certificate-validation.html

  22. What are the types of SSL Certificates? (2011) URL http://www.globalsign.com/ssl-information-center/what-are-the-types-of-ssl-certificate.html

  23. Ahmad D (2008) Two years of broken crypto: Debian’s dress rehearsal for a global PKI compromise. IEEE Security and Privacy 6:70–73

    Article  Google Scholar 

  24. Anderson R, Moore T (2007) Information security economics—and beyond. CRYPTO, pp 68–91

    Google Scholar 

  25. Biddle R, Oorschot PCV, Sobey J, Whalen T, Patrick AS (2009) Browser interfaces and extended validation SSL certificates: an empirical study. In: CCSW’09: Proceedings of the 2009 ACM workshop on cloud computing security

    Google Scholar 

  26. Dhamija R, Tygar JD, Hearst MA (2006) Why phishing works. In: Computer human interaction, pp 581–590

    Google Scholar 

  27. Downs JS, Holbrook MB, Cranor LF (2006) Decision strategies and susceptibility to phishing. In: Symposium on usable privacy and security, pp 79–90

    Google Scholar 

  28. Ghose A, Rajan U (2006) The economic impact of regulatory information disclosure on information security investments, competition, and social welfare. In: WEIS

    Google Scholar 

  29. Good N, Dhamija R, Grossklags J, Thaw D, Aronowitz S, Mulligan DK, Konstan JA (2005) Stopping spyware at the gate: a user study of privacy, notice and spyware. In: Symposium on usable privacy and security, pp 43–52

    Google Scholar 

  30. Herzberg A, Jbara A (2008) Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans Internet Technol 8:16:1–16:36

    Google Scholar 

  31. Jackson C, Barth A (2008) Forcehttps: protecting high-security web sites from network attacks. In: WWW

    Google Scholar 

  32. Jakobsson M, Myers S (2006) Phishing and countermeasures: understanding the increasing problem of electronic identity theft. Wiley, New York

    Book  Google Scholar 

  33. Landwehr C (2004) Improving information flow in the information security market. Economics of Information Security, pp 155–163

    Google Scholar 

  34. Lenstra AK (2004) Key length

    Google Scholar 

  35. Moore T, Edelman B (2010) Measuring the perpetrators and funders of typosquatting. Lecture notes in computer science. Springer, Berlin/Heidelberg

    Google Scholar 

  36. Schechter SE, Dhamija R, Ozment A, Fischer I (2007) The emperor’s new security indicators. In: IEEE symposium on security and privacy, pp 51–65

    Google Scholar 

  37. Sogohian C, Stamm S (2010) Certified lies: detecting and defeating government interception attacks against SSL. In: HotPETs

    Google Scholar 

  38. Stevens M, Sotirov A, Appelbaum J, Lenstra A, Molnar D, Osvik DA, Weger B (2009) Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Cryptology conference on advances in cryptology, pp 55–69

    Google Scholar 

  39. Sunshine J, Egelman S, Almuhimedi H, Atri N, Cranor LF (2009) Crying wolf: an empirical study of SSL warning effectiveness. In: USENIX security symposium, USENIX Association, pp 399–416

    Google Scholar 

  40. Wendlandt D, Andersen DG, Perrig A (2008) Perspectives: improving SSH-style host authentication with multi-path probing. In: USENIX Annual Technical Conference (Usenix ATC)

    Google Scholar 

  41. Whalen T, Inkpen KM (2005) Gathering evidence: use of visual security cues in web browsers. In: Proceedings of graphics interface 2005, GI ’05, Canadian Human-Computer Communications Society, School of Computer Science, University of Waterloo, Waterloo, Ontario, Canada, pp 137–144

    Google Scholar 

Download references

Acknowledgements

We would like to thank Jens Grossklags for his valuable insights and feedback.

Author information

Authors and Affiliations

  1. School of Computer and Communication Sciences, EPFL, Lausanne, Switzerland

    Nevena Vratonjic, Julien Freudiger, Vincent Bindschaedler & Jean-Pierre Hubaux

Authors
  1. Nevena Vratonjic
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Julien Freudiger
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vincent Bindschaedler
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jean-Pierre Hubaux
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nevena Vratonjic .

Editor information

Editors and Affiliations

  1. Minneapolis, Minnesota, USA

    Bruce Schneier

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer Science+Business Media New York

About this paper

Cite this paper

Vratonjic, N., Freudiger, J., Bindschaedler, V., Hubaux, JP. (2013). The Inconvenient Truth About Web Certificates. In: Schneier, B. (eds) Economics of Information Security and Privacy III. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-1981-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-1981-5_5

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-1980-8

  • Online ISBN: 978-1-4614-1981-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics