论文信息 - Analyzing Proposals for Improving Authentication on the TLS/SSL-Protected Web

Analyzing Proposals for Improving Authentication on the TLS/SSL-Protected Web

“Secure” web browsing with HTTPS uses TLS/SSL and X.509 certificates to provide authenticated, confidential communication between web clients and webservers. The authentication component of the system has a variety of weaknesses, which have led to a variety of proposals for improving the current environment. In this paper we survey, analyze, compare and contrast three prominent proposals. To do this, we attempt to systematically capture the properties one might require of such a system: authentication properties, forensics/privacy properties, usability properties, and pragmatic properties. Enumerating these properties is an important part of understanding these proposals and the nature of the authentication problem for the secure web. Finally, we offer a few conclusions and suggestions pertaining to these proposals, and possible future directions of research.

Christopher W. Brown | Michael Jenkins

[1] William E. Burr,et al. Recommendation for Key Management, Part 1: General (Revision 3) , 2006 .

[2] Cormac Herley,et al. So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[3] Paul E. Hoffman,et al. The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.

[4] Eric Rescorla,et al. The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[5] Adrian Perrig,et al. Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing , 2008, USENIX Annual Technical Conference.

[6] Lorrie Faith Cranor,et al. Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[7] Moxie Marlinspike,et al. Trust Assertions for Certificate Keys , 2013 .

[8] Chris Palmer,et al. Public Key Pinning Extension for HTTP , 2015, RFC.

[9] Russ Housley,et al. Update to DirectoryString Processing in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2006, RFC.