Here's my cert, so trust me, maybe? Understanding TLS errors on the web

WWW 2013 - Proceedings of the 22nd International Conference on World Wide Web

Volumn , Issue , 2013, Pages 59-69

  Akhawe, Devdatta ^a   Amann, Bernhard ^b   Vallentin, Matthias ^a   Sommer, Robin ^b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b INTERNATIONAL COMPUTER SCIENCE INSTITUTE   (United States)

Author keywords

TLS; Usability; Warnings

Indexed keywords

HIGH-RISK SITUATIONS; LARGE-SCALE MEASUREMENT; MEASUREMENT STUDY; MISCONFIGURATIONS; NETWORK MONITORS; TLS; USABILITY; WARNINGS;

ERRORS; RISK PERCEPTION; WORLD WIDE WEB;

SEEBECK EFFECT;

EID: 84890107028     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (49)

1. Code Release. http://is.gd/pxe5e6.
2. Amann, B., Vallentin, M., Hall, S., and Sommer, R. Extracting Certificates from Live Traffic: A Near Real-Time SSL Notary Service. TR-12-014, ICSI Nov. 2012. http://is.gd/EMt2Kz.
3. Barth, A. X-Script-Origin, we hardly knew ye, Oct 2011. http://is.gd/PvWp5w.
4. Böhme, R., and Grossklags, J. The Security Cost of Cheap User Interaction. In Proc. of NSPW 2011
5. Chromium Authors. HSTS Preload and Certificate Pinning List. http://is.gd/1Hfvxe.
6. Convergence. http://www.convergence.io.
7. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and Polk, W. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List Profile. RFC 5280, May 2008.
8. Dhamija, R., Tygar, J., and Hearst, M. Why Phishing Works. In Proc. of CHI 2006 pp. 581-590.
9. Dreger, H., Feldmann, A., Mai, M., Paxson, V., and Sommer, R. Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection. In Proc. of USENIX Security Symp. (2006).
10. Eastlake, D. Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066 (Proposed Standard), Jan. 2011.
11. Egelman, S., Cranor, L. F., and Hong, J. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. In CHI (2008).
12. The EFF SSL Observatory. https://www.eff.org/observatory.
13. Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., and Freisleben, B. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)security. In Proc. of CCS 2012 pp. 50-61.
14. Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. Android permissions: User attention, comprehension, and behavior. In Proc. of SOUPS (2012).
15. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., and Shmatikov, V. The most dangerous code in the world: validating SSL certificates in non-browser software. In Proc. of CCS 2012 pp. 38-49.
16. Hodges, J., Jackson, C., and Barth, A. Http strict transport security (hsts). RFC 6797 Nov. 2012.
17. Hoffman, P., and Schlyter, J. The DNS-Based Authentication of Named Entities (DANE): TLSA Protocol. RFC 6698, Aug. 2012.
18. Holz, R., Braun, L., Kammenhuber, N., and Carle, G. The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements. In Proc. of IMC 2011 .
19. Karlof, C., Tygar, J., and Wagner, D. Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication. In Proc. of 16th NDSS (February 2009).
20. Krosnick, J. Response strategies for coping with the cognitive demands of attitude measures in surveys. Applied cognitive psychology 5, 3 (1991), 213-236.
21. Langley, A. Revocation checking and Chrome's CRL. http://is.gd/2rg7SS, Feb. 2012.
22. Langley, A. SSL Interstitial Bypass Rates, Feb. 2012. http://is.gd/hPErbv
23. Laurie, B., Langley, A., and Kasper, E. Certificate Authority Transparency and Auditability. http://www.certificate-transparency.org/.
24. Leavitt, N. Internet security under attack: The undermining of digital certificates. Computer 44
25. Lenstra, A., Hughes, J., Augier, M., Bos, J., Kleinjung, T., and Wachter, C. Ron was wrong, Whit is right. IACR eprint archive 64 (2012).
26. StartSSL Free. https://www.startssl.com.
27. MozillaWiki: Mobile Web Evangelism. https://wiki.mozilla.org/Mobile/ Evangelism.
28. Motiee, S., Hawkey, K., and Beznosov, K. Do Windows Users Follow the Principle of Least Privilege? Investigating User Account Control Practices. In Proc. of SOUPS (2010).
29. Mozilla Bugzilla. Bug 364667: Tolerate mismatch between certificate host and actual host if the difference is only "www.". https://bugzil.la/ 364667.
30. Mozilla Bugzilla. Bug 634074: Cannot validate valid certificate chain when looping/cross-signed certs are involved. https://bugzil.la/634074.
31. Mozilla Bugzilla. Bug 657228 - Preload all known intermediate certificates for CAs in our root store. https://bugzil.la/657228.
32. Mozilla Bugzilla. Bug 806281: NSS doesn't use publicsufix list. https://bugzil.la/806281.
33. Mozilla Bugzilla. Bug 808331: Intermediates Cached in Private Browsing Mode. https://bugzil.la/808331.
34. Mozilla Bugzilla. Tech Evangelism Bugs. http://is.gd/sqCtFm.
35. MozillaWiki: Maintaining Confidence in Root Certificates. http://is.gd/gnGt0M.
36. Network Security Services (NSS). https: //www.mozilla.org/projects/ security/pki/nss/.
37. Paxson, V. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31
38. Public Suffix List. http://publicsuffix.org.
39. Rescorla, E. HTTP Over TLS. RFC 2818 (Informational), May 2000.
40. Saint-Andre, P., and Hodges, J. Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security. RFC 6125, March 2011.
41. Santesson, S., and Hallam-Baker, P. Online Certificate Status Protocol Algorithm Agility. RFC 6277 (Proposed Standard), June 2011.
42. Soghoian, C., and Stamm, S. Certified lies: Detecting and defeating government interception attacks against ssl (short paper). Financial Cryptography and Data Security (2012), 250-259.
43. Sotirakopoulos, A., Hawkey, K., and Beznosov, K. On the challenges in usable security lab studies: lessons learned from replicating a study on SSL warnings. In Proc. of SOUPS 2011 pp. 3:1-3:18.
44. Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and Cranor, L. F. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proceedings of the 18th Usenix Security Symposium (2009).
45. EFF: The Sovereign Keys Project. https://www.eff.org/sovereign-keys.
46. Vratonjic, N., Freudiger, J., Bindschaedler, V., and Hubaux, J. The inconvenient truth about web certificates. In Proc. of WEIS (2011), 79-117.
47. Wendlandt, D., Andersen, D. G., and Perrig, A. Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. USENIX ATC (2008).
48. Whalen, T., and Inkpen, K. Gathering evidence: use of visual security cues in web browsers. In Proc. of Graphics Interface 2005 (2005), pp. 137-144.
49. Wikipedia. Accuracy of Ranking by Alexa Toolbar.