Abstract
TLS is crucial to network security, but TLS-related APIs have been repeatedly shown to be misused. While existing usable security research focuses on cryptographic primitives, the specifics of TLS interfaces seem to be under-researched. We thus set out to investigate the usability of TLS-related APIs in multiple libraries with a focus on identifying the specifics of TLS. We conducted a three-fold exploratory study with altogether 60 graduate students comparing the APIs of three popular security libraries in establishing TLS connections: OpenSSL, GnuTLS, and mbed TLS. We qualitatively analyzed submitted reports commenting on API usability and tested created source code. User satisfaction emerged as an interesting, potentially under-researched theme as all APIs received both positive and negative reviews. Abstraction level, error handling, entity naming, and documentation emerged as the most salient usability themes. Regarding functionality, checking for revoked certificates was especially complicated and other basic security checks seemed not easy as well. In summary, although there were conflicting opinions on both the interface and documentation of the libraries, several usability issues were shared among participants, forming a target for closer inspection and subsequent improvement.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Note that the course was moved to spring in the academic year 2020/21 and did thus not run in autumn 2020.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
References
Acar, Y., et al.: Comparing the usability of cryptographic APIs. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 154–171 (2017). https://doi.org/10.1109/sp.2017.52
Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: You get where you’re looking for: the impact of information sources on code security. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 289–305 (2016). https://doi.org/10.1109/sp.2016.25
Acar, Y., Fahl, S., Mazurek, M.L.: You are not your developer, either: a research agenda for usable security and privacy research beyond end users. In: 2016 IEEE Cybersecurity Development (SecDev), pp. 3–8. IEEE (2016)
Acar, Y., Stransky, C., Wermke, D., Mazurek, M.L., Fahl, S.: Security developer studies with GitHub users: exploring a convenience sample. In: Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017), pp. 81–95. USENIX Association, Santa Clara (2017)
Memorable site for testing clients against bad SSL configs (2022). https://badssl.com/
Brooke, J.: SUS: a quick and dirty usability scale. In: Usability Evaluation in Industry, vol. 189, no. 194, pp. 4–7 (1996)
Cairns, K., Steel, G.: Developer-resistant cryptography. In: A W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT) (2014)
Dietrich, C., Krombholz, K., Borgolte, K., Fiebig, T.: Investigating system operators’ perspective on security misconfigurations. In: 25th ACM Conference on Computer and Communications Security. ACM, October 2018
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 73–84. ACM, New York (2013). https://doi.org/10.1145/2508859.2516693
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why Eve and Mallory love android: an analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012). https://doi.org/10.1145/2382196.2382204
Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 49–60. ACM, New York (2013). https://doi.org/10.1145/2508859.2516655
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM conference on Computer and Communications Security, pp. 38–49. ACM (2012). https://doi.org/10.1145/2382196.2382204
GnuTLS: transport layer security library (2022). https://www.gnutls.org/
Google transparency report: HTTPS encryption on the web (2021). https://transparencyreport.google.com/
Green, M., Smith, M.: Developers are not the enemy!: the need for usable security APIs. IEEE Secur. Priv. 14, 40–46 (2016). https://doi.org/10.1109/msp.2016.111
Hazhirpasand, M., Ghafari, M., Krüger, S., Bodden, E., Nierstrasz, O.: The impact of developer experience in using Java cryptography (2019)
Iacono, L.L., Gorski, P.L.: I do and I understand. Not yet true for security APIs. So sad. In: Proceedings of the 2nd European Workshop on Usable Security. EuroUSEC 2017, Internet Security, Reston, VA (2017). https://doi.org/10.14722/eurousec.2017.23015
Krombholz, K., Busse, K., Pfeffer, K., Smith, M., von Zezschwitz, E.: “If https were secure, i wouldn’t need 2FA” - end user and administrator mental models of https. In: S&P 2019, May 2019. https://publications.cispa.saarland/2788/
Krombholz, K., Mayer, W., Schmiedecker, M., Weippl, E.: “I have no idea what I’m doing” - on the usability of deploying HTTPS. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1339–1356 (2017)
Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: CrySL: an extensible approach to validating the correct usage of cryptographic APIs. In: Millstein, T. (ed.) 32nd European Conference on Object-Oriented Programming (ECOOP 2018), Leibniz International Proceedings in Informatics (LIPIcs), vol. 109, pp. 10:1–10:27. Dagstuhl, Germany (2018). https://doi.org/10.4230/LIPIcs.ECOOP.2018.10
Landis, J.R., Koch, G.G.: The measurement of observer agreement for categorical data. Biometrics 33(1), 159–174 (1977). https://doi.org/10.2307/2529310
Mbed TLS (formerly known as PolarSSL) (2022). https://tls.mbed.org
Nadi, S., Krüger, S., Mezini, M., Bodden, E.: Jumping through hoops: why do Java developers struggle with cryptography APIs? In: Proceedings of the 38th International Conference on Software Engineering, pp. 935–946. ACM (2016)
Naiakshina, A., Danilova, A., Tiefenau, C., Herzog, M., Dechand, S., Smith, M.: Why do developers get password storage wrong? A qualitative usability study. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 311–328. ACM, New York (2017). https://doi.org/10.1145/3133956.3134082
Naiakshina, A., Danilova, A., Tiefenau, C., Smith, M.: Deception task design in developer password studies: exploring a student sample. In: Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pp. 297–313. USENIX Association, Baltimore, August 2018. https://www.usenix.org/conference/soups2018/presentation/naiakshina
Nemec, M., Klinec, D., Svenda, P., Sekan, P., Matyas, V.: Measuring popularity of cryptographic libraries in internet-wide scans. In: Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC), pp. 162–175. ACM Press, New York (2017). https://doi.org/10.1145/3134600.3134612
Nielsen, J.: Usability Engineering. Academic Press, Cambridge (1993)
OpenSSL: Cryptography and SSL/TLS toolkit (2022). https://www.openssl.org/
Saldaña, J.: The Coding Manual for Qualitative Researchers, 3rd edn. SAGE Publishing, Thousand Oaks (2015)
Stackoverflow developer survey (2021). https://insights.stackoverflow.com/survey/2021
Tahaei, M., Vaniea, K.: A survey on developer-centred security. In: 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 129–138. IEEE (2019)
Wijayarathna, C., Arachchilage, N.A.G., Slay, J.: A generic cognitive dimensions questionnaire to evaluate the usability of security APIs. In: Tryfonas, T. (ed.) Human Aspects of Information Security, Privacy and Trust, HAS 2017. LNCS, vol. 10292, pp. 160–173. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58460-7_11
Acknowledgments
This research was supported by the ERDF project CyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence (No. CZ.02.1.01/0.0/0.0/16_019/0000822). We would like to thank Red Hat Czech for support and all students of the course for participating in this research. Thanks also go to Pavol Žáčik for helping to confirm different API functionality aspects.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kraus, L., Grabovský, M., Ukrop, M., Galanská, K., Matyáš, V. (2022). Usability Insights from Establishing TLS Connections. In: Meng, W., Fischer-Hübner, S., Jensen, C.D. (eds) ICT Systems Security and Privacy Protection. SEC 2022. IFIP Advances in Information and Communication Technology, vol 648. Springer, Cham. https://doi.org/10.1007/978-3-031-06975-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-06975-8_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-06974-1
Online ISBN: 978-3-031-06975-8
eBook Packages: Computer ScienceComputer Science (R0)