A Hard Lesson: Assessing the HTTPS Deployment of Italian University Websites

In this paper we carry out a systematic analysis of the state of the HTTPS deployment of the most popular Italian university websites. Our analysis focuses on three different key aspects: HTTPS adoption and activation, HTTPS certificates, and cryptographic TLS implementations. Our investigation shows that the current state of the HTTPS deployment is unsatisfactory, yet it is possible to significantly improve the level of security by working exclusively at the web application layer. We hope this observation will encourage site operators to take actions to improve the current state of protection.

[1]  Jian Jiang,et al.  We Still Don't Have Secure Cross-Domain Requests: an Empirical Study of CORS , 2018, USENIX Security Symposium.

[2]  Michele Bugliesi,et al.  Testing for Integrity Flaws in Web Sessions , 2019, ESORICS.

[3]  Wouter Joosen,et al.  Large-Scale Security Analysis of the Web: Challenges and Findings , 2014, TRUST.

[4]  Riccardo Focardi,et al.  Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[5]  Deepak Kumar,et al.  Tracking Certificate Misissuance in the Wild , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[6]  Michele Bugliesi,et al.  Semantics-Based Analysis of Content Security Policy Deployment , 2018, ACM Trans. Web.

[7]  Joseph Bonneau,et al.  Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning , 2015, NDSS.

[8]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[9]  Adrienne Porter Felt,et al.  Measuring HTTPS Adoption on the Web , 2017, USENIX Security Symposium.

[10]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[11]  J. Alex Halderman,et al.  Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web , 2019, CCS.

[12]  Edgar R. Weippl,et al.  "I Have No Idea What I'm Doing" - On the Usability of Deploying HTTPS , 2017, USENIX Security Symposium.

[13]  Vitaly Shmatikov,et al.  The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites , 2013, NDSS.

[14]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[15]  Adrienne Porter Felt,et al.  Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors , 2017, CCS.

[16]  Silvio Ranise,et al.  Lost in TLS? No More! Assisted Deployment of Secure TLS Configurations , 2019, DBSec.

[17]  Ping Chen,et al.  Security Analysis of the Chinese Web: How well is it protected? , 2014, SafeConfig '14.

[18]  Juraj Somorovsky,et al.  Return Of Bleichenbacher's Oracle Threat (ROBOT) , 2018, IACR Cryptol. ePrint Arch..