Security collapse in the HTTPS market

Communications of the ACM

Volumn 57, Issue 10, 2014, Pages 47-55

  Arnbak, Axel ^a   Asghari, Hadi ^b   Van Eeten, Michel ^b   Van Eijk, Nico ^a  

^a UNIVERSITY OF AMSTERDAM   (Netherlands)

^b DELFT UNIVERSITY OF TECHNOLOGY   (Netherlands)

Author keywords

[No Author keywords available]

Indexed keywords

COMMERCE; HYPERTEXT SYSTEMS; LAWS AND LEGISLATION;

BINDING FORCES; DE FACTO STANDARD; EUROPEAN UNION; FINANCIAL SECTORS; INFORMATION ASYMMETRY; NEGATIVE EXTERNALITIES; POLICY MAKERS; STATE OF THE ART;

HTTP;

EID: 84908242723     PISSN: 00010782     EISSN: 15577317     Source Type: Journal    
DOI: 10.1145/2660574     Document Type: Article

References (25)

1. Anderson, R.J. Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, 2008.
2. Arnbak, A. and van Eijk, N. Certificate Authority collapse: regulating systemic vulnerabilities in the HTTPS value chain. Research Conference on Communication, Information and Internet Policy (TPRC), 2012; http://papers.ssrn.com/sol3/papers.cfm?abstract-id=2031409.
3. Asghari, H., van Eeten, M.J., Arnbak, A.M. and van Eijk, N.A. Security economics in the HTTPS value chain, 2013; http://papers.ssrn.com/sol3/papers.cfm?abstract-id=2277806
4. Bakos, Y., Marotta-Wurgler, F. and Trossen, D. Does anyone read the fine print? Testing a law and economics approach to standard form contracts. In Proceedings of the Fourth Annual Conference on Empirical Legal Studies, 2009.
5. Bonneau, J. Fixing HTTPS: new models for distributing transport security policy. Center for Information Technology Policy (CITP) Seminar, 2014; https://docs.google.com/presentation/d/1dxWwKUOVjO1MnOJQkyxCS03VfFp-kmPeAmneJ9KLd-M/edit?usp=sharing.
6. Constantin, L. Trustwave admits issuing manin-The-middle digital certificate; Mozilla debates punishment. ComputerWorld (Feb. 8, 2012); http://www.computerworld.com/s/article/9224082/Trustwave-admits-issuing-man-in-The-middle-digital-certificate-Mozilla-debates-punishment
7. Durumeric, Z., Kasten, J., Bailey, M. and Halderman, J.A. Analysis of the HTTPS certificate ecosystem. In Proceedings of the Internet Measurement Conference, 2013.
8. Eckersley, P. Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get? Electronic Frontier Foundation, 2011; https://www.eff.org/deeplinks/2011/03/iranianhackers-obtain-fraudulent-https.
9. ENISA. Operation Black Tulip: Certificate Authorities lose authority, version 2 (Dec. 2011); http://www.enisa.europa.eu/media/news-items/operation-black-tulip
10. European Union. Electronic identification and trust services for electronic transactions in the internal market. Amended proposal, 2014; 2012/0146(COD), A7-0365/201; http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0282#title3
11. Florencio, D. and Herley, C. Where do all the attacks go? Workshop on Economics of Information Security (2011); http://research.microsoft.com/pubs/149885/WhereDoAllTheAttacksGo.pdf.
12. Fox-IT. DigiNotar Certificate Authority breach (Sept. 5, 2011); http://www.rijksoverheid.nl/documenten-enpublicaties/rapporten/2011/09/05/diginotar-publicreport-version-1.html.
13. Fox-IT. Black Tulip-Report of the investigation into the DigiNotar Certificate Authority breach; http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2012/08/13/black-tulip-update.html.
14. InfoSecurity. Comodo admits two more registration authorities hacked, 2011; http://www.infosecuritymagazine.com/view/16986/comodo-admits-twomore-registration-authorities-hacked.
15. Kelkman, O.M. DNSSEC Musings: DigiNotar, DANE and Deployment. NLnet Labs, 2013; http://conference.apnic.net/-data/assets/pdf-file/0005/58901/dnssecdiginotar-dane-1361864377.pdf.
16. Langley, A. Certificate Transparency. ImperialViolet; http://www.imperialviolet.org/2012/11/06/certtrans.html.
17. Langley, A. Real World Crypto 2013. ImperialViolet; http://www.imperialviolet.org/2013/01/13/rwc03.html.
18. Mills, E. Google users in Iran targeted in SSL spoof. CNET (Aug. 30, 2011); http://news.cnet.com/8301-27080-3-20099421-245/google-users-in-irantargeted-in-ssl-spoof/.
19. Mozilla. Mozilla CA certificate policy, version 2.1 (Feb. 14, 2013); http://www.mozilla.org/projects/security/certs/policy/.
20. Roosa, S.B., Schultze, S. The "Certificate Authority" trust model for SSL: a defective foundation for encrypted Web traffic and a legal quagmire. Intellectual Property & Technology Law Journal 22. 11 (2010), 3.
21. Roosa, S.B. and Schultze, S. Trust Darknet: control and compromise in the Internet's Certificate Authority Model, 2013; http://ssrn.com/abstract=2249042.
22. Shapiro, C. and Varian, H. Information Rules. Harvard Business School Press, 1998.
23. Soghoian, C. and Stamm, S. Certified lies: detecting and defeating government interception attacks against SSL. In Financial Cryptography and Data Security. Springer, 2012, 250-259.
24. Trustworthy Internet Movement. SSL-Pulse. Survey of the SSL implementation of the most popular websites, 2014; https://www.trustworthyinternet.org/ssl-pulse/.
25. Vratonjic, N., Freudiger, J., Bindschaedler, V. and Hubaux, J.-P. The inconvenient truth about Web certificates. In Proceedings of the Workshop on Economics of Information Security, 2011.