Abstract
The creation of the World Wide Web (WWW) in the early 1990’s finally made the Internet accessible to a wider part of the population. With this increase in users, security became more important. To address confidentiality and integrity requirements on the web, Netscape—by then a major web browser vendor—presented the Secure Socket Layer (SSL), later versions of which were renamed to Transport Layer Security (TLS). In turn, this necessitated the introduction of both security indicators in browsers to inform users about the TLS connection state and also of warnings to inform users about potential errors in the TLS connection to a website. Looking at the evolution of indicators and warnings, we find that the qualitative data on security indicators and warnings, i.e., screen shots of different browsers over time is inconsistent. Hence, in this paper we outline our methodology for collecting a comprehensive data set of web browser security indicators and warnings, which will enable researchers to better understand how security indicators and TLS warnings in web browsers evolved over time.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
For example, early versions of Internet Explore displayed a warning when a non plain-text website was visited.
References
Aertsen, M., Korczyński, M., Moura, G., Tajalizadehkhoob, S., van den Berg, J.: No domain left behind: is let’s encrypt democratizing encryption? In: Proceedings of the Applied Networking Research Workshop, pp. 48–54. ACM (2017)
Anderson, R., Baqer, K.: Reconciling multiple objectives – politics or markets?. In: Stajano, F., Anderson, J., Christianson, B., Matyáš, V. (eds.) Security Protocols XXV. Security Protocols 2017. LNCS, vol. 10476, pp. 144–156 Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71075-4_17
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033, IETF (March 2005). http://tools.ietf.org/rfc/rfc4033.txt
Barnes, R., Thomson, M., Pironti, A., Langley, A.: Deprecating Secure Sockets Layer Version 3.0. RFC 7568, IETF (June 2015). http://tools.ietf.org/rfc/rfc7568.txt
Borgolte, K., Fiebig, T., Hao, S., Kruegel, C., Vigna, G.: Cloud strife: mitigating the security risks of domain-validated certificates. In: Proceedings of 2018 Internet Society Symposium on Network and Distributed System Security (NDSS). The Internet Society (2018)
BrentgMS: Mixed content and Internet Explorer 8.0 (2009). https://blogs.msdn.microsoft.com/askie/2009/05/14/mixed-content-and-internet-explorer-8-0/
Burzstein, E.: Evolution of the https lock icon (infographic) (2011). https://elie.net/blog/security/evolution-of-the-https-lock-icon-infographic
CA Security Council: Browser UI security indicators (2017). https://casecurity.org/browser-ui-security-indicators/
CA/Browser Forum: Guidelines for the issuance and management of extended validation certificates (2007). https://cabforum.org/wp-content/uploads/EV_Certificate_Guidelines.pdf
Delignat-Lavaud, A., Abadi, M., Birrell, A., Mironov, I., Wobber, T., Xie, Y.: Web PKI: closing the gap between guidelines and practices. In: Proceedings of the 2014 Internet Society Symposium on Network and Distributed System Security (NDSS). The Internet Society (2014)
Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246, IETF (January 1999). http://tools.ietf.org/rfc/rfc2246.txt
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346, IETF (April 2006). http://tools.ietf.org/rfc/rfc4346.txt
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, IETF (August 2008). http://tools.ietf.org/rfc/rfc5246.txt
Dukhovni, V., Hardaker, W.: The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance. RFC 7671, IETF (October 2015). http://tools.ietf.org/rfc/rfc7671.txt
Felt, A.P., et al.: Rethinking connection security indicators. In: Proceedings of the 2016 Symposium on Usable Privacy and Security (SOUPS), pp. 1–14. USENIX Association (2016)
Fiebig, T., et al.: Learning from the past: designing secure network protocols. In: Bartsch, M., Frey, S. (eds.) Cybersecurity Best Practices, pp. 585–613. Springer, Wiesbaden (2018). https://doi.org/10.1007/978-3-658-21655-9_41
Franco, R.: Better website identification and extended validation certificates in IE7 and other browsers (2005). https://blogs.msdn.microsoft.com/ie/2005/11/21/better-website-identification-and-extended-validation-certificates-in-ie7-and-other-browsers/
Garron, L., Palmer, C.: Simplifying the page security icon in Chrome (2015). https://security.googleblog.com/2015/10/simplifying-page-security-icon-in-chrome.html
Gustafsson, J., Overier, G., Arlitt, M., Carlsson, N.: A first look at the CT landscape: certificate transparency logs in practice. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 87–99. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_7
Hunt, T.: Extended validation certificates are dead (2018). https://www.troyhunt.com/extended-validation-certificates-are-dead/
Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77366-5_27
King, A., Garron, L., Thompson, C.: Memorable site for testing clients against bad SSL configs (2018). https://badssl.com
Lawrence, E.: Mixed content and Internet Explorer 8.0 (2011). https://blogs.msdn.microsoft.com/ie/2011/06/23/internet-explorer-9-security-part-4-protecting-consumers-from-malicious-mixed-content/
Manousis, A., Ragsdale, R., Draffin, B., Agrawal, A., Sekar, V.: Shedding light on the adoption of Let’s Encrypt. Computing Research Repository abs/1611.00469 (2016). http://arxiv.org/abs/1611.00469
Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, IETF (November 1987). http://tools.ietf.org/rfc/rfc1034.txt
Naughton, J.: Netscape: the web browser that came back to haunt microsoft (2015). https://www.theguardian.com/global/2015/mar/22/web-browser-came-back-haunt-microsoft
Nightingale, J.: Will Firefox have a green bar? (2007). http://blog.johnath.com/2007/06/04/will-firefox-have-a-green-bar/
Orgera, S.: The history of Mozilla’s Firefox web browser (2018). https://www.lifewire.com/the-history-of-firefox-446233
PCI Security standards council: payment card industry data security standards. Technical report, v3.2.1 (2018)
Reeder, R.W., Felt, A.P., Consolvo, S., Malkin, N., Thompson, C., Egelman, S.: An experience sampling study of user reactions to browser warnings in the field. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, p. 512. ACM (2018)
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, IETF (August 2018). http://tools.ietf.org/rfc/rfc8446.txt
Roessler, T., Saldhana, A.: Web security context: user interface guidelines. W3C recommendation, W3C (2010). https://www.w3.org/TR/wsc-ui/
Schechter, E.: Moving towards a more secure web (2016). https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Sheffer, Y., Holz, R., Saint-Andre, P.: Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). RFC 7525, IETF (May 2015). http://tools.ietf.org/rfc/rfc7525.txt
Sheffer, Y., Holz, R., Saint-Andre, P.: Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS). RFC 7457, IETF (February 2015). http://tools.ietf.org/rfc/rfc7457.txt
Sobey, J., Van Oorschot, P.C., Patrick, A.S.: Browser interfaces and EV-SSL certificates: Confusion, inconsistencies and HCI challenges. Technical report, TR-09-02, Carleton University School of Computer Science, Canada (2009)
Staikos, G.: Web browser developers work together on security (2005). https://dot.kde.org/2005/11/22/web-browser-developers-work-together-security
Stallings, W.: SSL: foundation for web security. Int. Protoc. J. 1(1), 20–29 (1998)
Stark, E., et al.: Does certificate transparency break the web? Measuring adoption and error rate. In: Proceedings of the 2019 IEEE Symposium on Security and Privacy (S&P) (2019, to appear)
Statcounter GlobalStats: Browser market share worldwide (2018). http://gs.statcounter.com/browser-market-share/desktop/worldwide
Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of SSL warning effectiveness. In: Proceedings of the 2009 USENIX Security Symposium, pp. 399–416. USENIX Association (2009)
The Chromium projects: Marking HTTP as non-secure (2016). https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
Thomas, S.A.: SSL and TLS Essentials: Securing the Web. Wiley, New York, NY, USA (2000)
Turner, S., Polk, T.: Prohibiting Secure Sockets Layer (SSL) Version 2.0. RFC 6176, IETF (March 2011). http://tools.ietf.org/rfc/rfc6176.txt
Vyas, T.: Updated Firefox security indicators (2015). https://blog.mozilla.org/security/2015/11/03/updated-firefox-security-indicators-2/
Vyas, T., Dolanjski, P.: Communicating the dangers of non-secure HTTP (2017). https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
Yiu, K.: Improving SSL: extended validation (EV) SSL certificates coming in January (2006). https://blogs.msdn.microsoft.com/ie/2006/11/07/improving-ssl-extended-validation-ev-ssl-certificates-coming-in-january/
Acknowledgements
We would like to thank Petr Švenda, Matúš Nemec, Marek Sýs and Adam Janovský for their comments during the paper writing and the participants of the 2019 Security Protocols Workshop for the lively discussion and the useful hints for our research and the paper. Furthermore, we would like to acknowledge the help of Richard Pánek and Filip Gontko with the collection of TLS warning screen shots.
This work has been partly funded by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 830929 (CyberSec4Europe), and No. 825225 (Safe-DEED). The content herein reflects only the authors’ view, and not that of the involved funding bodies.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Kraus, L., Ukrop, M., Matyas, V., Fiebig, T. (2020). Evolution of SSL/TLS Indicators and Warnings in Web Browsers. In: Anderson, J., Stajano, F., Christianson, B., Matyáš, V. (eds) Security Protocols XXVII. Security Protocols 2019. Lecture Notes in Computer Science(), vol 12287. Springer, Cham. https://doi.org/10.1007/978-3-030-57043-9_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-57043-9_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57042-2
Online ISBN: 978-3-030-57043-9
eBook Packages: Computer ScienceComputer Science (R0)